Internal Control 


Learning Objectives 


After reading this chapter student should be able to - 

♦ Understand the concept of Internal Control in detail along with its objectives & control 
environment. 

♦ Explain about understanding the entity & its environment, including entity’s Internal 
Control. 

♦ Understand the factor relevant to the auditor’s judgement about whether a control is 
relevant to the audit. 

♦ Explain inherent limitations of Internal Control. 

♦ Understand aims of Internal Control so far as financial & accounting aspects are 
concerned. 

♦ Explain Relationship of Internal Control & Management. 

♦ Understand the responsibilities of auditor to communicate weaknesses of Internal 
Control to management. 

♦ Understand how review of internal control would help the auditor. 

♦ Understand the importance of testing of Internal Control & examination in depth. 

♦ Explain the relationship between the assessments of Inherent & Control Risks. 

♦ Understand the Internal Control & Computerized Information System environment. 

♦ Understand Internal check and Internal Audit. 

♦ Explain the relationship between statutory & the Internal Auditors. 

Control is a basic human requirement and it has existed throughout the ages in different facets 
of human activity. Business as such is a complex process and has grown even more complex 
with the technological advancement of the society. The formalisation of the concept of internal 
control in the sphere of business administration is a comparatively recent phenomenon. 

In the sphere of a business, control is an accepted device for optimum utilisation of the 
resources and opportunities for maximisation of profits. All operations of a business are 
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carried on with the help of human agents and equipment; both these factors need supervision 
so that the tasks assigned to them are properly carried out and avoidable wastes and losses 
do not occur to eat up the fruit of the enterprise. 

The internal control required by a sole proprietor of small business is not identical with that 
required for a large industrial organisation. A small trader having a grocery shop hardly needs 
more than one or two assistants. He decides the work to be done by the assistants. He always 
knows his own inventory, cash and bank position. He has the knowledge of daily sales. He 
himself knows the sources for purchases. He arranges transport and makes the purchases. 
He keeps the record of the trade receivables and trade payables. The assistants merely help 
him in delivering goods to customers or to arrange the goods in proper order. 

From the above, it can be observed that control is entirely centralised with the owner and 
there is no significant delegation of duties. However, as the business grows in size it soon 
reaches a stage where the owner can no longer keep him intimately informed about the 
detailed operations of his business, activities of the employees and the discharge of their 
responsibilities. To cope with the increasing size and volume of business, he has to employ 
more and more people and for systematically carrying on the business, he has to specify the 
tasks for each person. For remote operations he has also to rely upon these people, for 
carrying out the work, for the custody of the materials, documents and equipments entrusted 
to them. He has also to ensure that the equipment and facilities are properly maintained. For 
this purpose, he has to give shape to a form of organisation from which he would be in a 
position to know the broad details of the work involved and the persons responsible for such 
work. Also, he has to work out a plan of delegation of duties and authority for the simple 
reason that, for anything and everything, people need not come to him for advice or decision, 
because, under such circumstances, he would not be able to find time to apply his mind to 
matters of more importance. 

Human behaviour is such that if it is not under some sort of regulation or control, it often tends 
to depart from the proper path. It needs to be kept under systematic watch not only for 
ensuring that the employee does his work, but also to see that he does it in the manner laid 
down for the purpose and handles the material and equipment with proper care. 

4.1 Concept of Internal Control 

As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through 
Understanding the Entity and its Environment” the internal control may be defined as “The 
process designed, implemented and maintained by those charged with governance, 
management and other personnel to provide reasonable assurance about the achievement of 
an entity’s objectives with regard to reliability of financial reporting, effectiveness and 
efficiency of operations, safeguarding of assets, and compliance with applicable laws and 
regulations. The term “controls” refers to any aspects of one or more of the components of 
internal control.” 


© The Institute of Chartered Accountants of India 







4.3 Auditing and Assurance 


Objectives of Internal Control: 

(i) transactions are executed in accordance with managements general or specific 
authorization; 

(ii) all transactions are promptly recorded in the correct amount in the appropriate accounts 
and in the accounting period in which executed so as to permit preparation of financial 
information within a framework of recognized accounting policies and practices and 
relevant statutory requirements, if any, and to maintain accountability for assets; 

(iii) assets are safeguarded from unauthorised access, use or disposition; and 

(iv) the recorded assets are compared with the existing assets at reasonable intervals and 
appropriate action is taken with regard to any differences. 

4.2 Understanding the Entity and Its Environment, Including the 
Entity’s Internal Control 

The Entity and Its Environment: The auditor shall obtain an understanding of the following- 

(i) Relevant industry, regulatory, and other external factors including the applicable financial 
reporting framework. 

(ii) The nature of the entity, including: 

(a) its operations; 

(b) its ownership and governance structures; 

(c) the types of investments that the entity is making and plans to make, including 
investments in special-purpose entities; and 

(d) the way that the entity is structured and how it is financed; 

to enable the auditor to understand the classes of transactions, account balances, and 
disclosures to be expected in the financial statements. 

(iii) The entity’s selection and application of accounting policies, including the reasons for 
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are 
appropriate for its business and consistent with the applicable financial reporting 
framework and accounting policies used in the relevant industry. 

(iv) The entity’s objectives and strategies, and those related business risks that may result in 
risks of material misstatement. 

(v) The measurement and review of the entity’s financial performance. 

The Entity’s Internal Control: The auditor shall obtain an understanding of internal control 
relevant to the audit. Although most controls relevant to the audit are likely to relate to 
financial reporting, not all controls that relate to financial reporting are relevant to the audit. It 
is a matter of the auditor’s professional judgment whether a control, individually or in 
combination with others, is relevant to the audit. 

An understanding of internal control assists the auditor in identifying types of potential 


© The Institute of Chartered Accountants of India 







Internal Control 4.4 


misstatements and factors that affect the risks of material misstatement, and in designing the 
nature, timing, and extent of further audit procedures. 

Purpose of Internal Control: Internal control is designed, implemented and maintained to 
address identified business risks that threaten the achievement of any of the entity’s 
objectives that concern- 

♦ The reliability of the entity’s financial reporting; 

♦ The effectiveness and efficiency of its operations; 

♦ Its compliance with applicable laws and regulations; and 

♦ Safeguarding of assets. 

The way in which internal control is designed, implemented and maintained varies with 
an entity’s size and complexity. 

Limitations of Internal Control: Internal control, no matter how effective, can provide an 
entity with only reasonable assurance about achieving the entity’s financial reporting 
objectives. The likelihood of their achievement is affected by inherent limitations of 
internal control. These include- 

(i) Role of Human Judgement: The realities that human judgment in decision-making 
can be faulty and that breakdowns in internal control can occur because of human error. 
For example, there may be an error in the design of, or in the change to, a control. 

(ii) Ineffective Operation of Control: Equally, the operation of a control may not be 
effective, such as where information produced for the purposes of internal control (for 
example, an exception report) is not effectively used because the individual responsible for 
reviewing the information does not understand its purpose or fails to take appropriate 
action. 
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(iii) Collusion among Employees: Additionally, controls can be circumvented by the 
collusion of two or more people or inappropriate management override of internal control. 
For example, management may enter into side agreements with customers that alter the 
terms and conditions of the entity’s standard sales contracts, which may result in improper 
revenue recognition. Also, edit checks in a software program that are designed to identify 
and report transactions that exceed specified credit limits may be overridden or disabled. 

(iv) Judgement by Management: Further, in designing and implementing controls, 
management may make judgments on the nature and extent of the controls it chooses to 
implement, and the nature and extent of the risks it chooses to assume. 

(v) Considerations specific to Smaller Entities: Smaller entities often have fewer 
employees which may limit the extent to which segregation of duties is practicable. 
However, in a small owner-managed entity, the owner-manager may be able to exercise 
more effective oversight than in a larger entity. This oversight may compensate for the 
generally more limited opportunities for segregation of duties. 

On the other hand, the owner-manager may be more able to override controls because 
the system of internal control is less structured. This is taken into account by the 
auditor when identifying the risks of material misstatement due to fraud. 

Division of Internal Control into Components: The division of internal control into the 
following five components provides a useful framework for auditors to consider how different 
aspects of an entity’s internal control may affect the audit: 

(a) The control environment; 

(b) The entity’s risk assessment process; 

(c) The information system, including the related business processes, relevant to financial 
reporting, and communication; 

(d) Control activities; and 

(e) Monitoring of controls. 

Characteristics of Manual and Automated Elements of Internal Control Relevant to the 
Auditor’s Risk Assessment: An entity’s system of internal control contains manual 
elements and often contains automated elements. The characteristics of manual or 
automated elements relevant to the auditor’s risk assessment and further audit 
procedures are explained hereunder- 

(i) Controls in Manual and IT System: The use of manual or automated elements in 
internal control affects the manner in which transactions are initiated, recorded, 
processed, and reported: 

(1) Controls in a manual system may include such procedures as approvals and 
reviews of transactions, and reconciliations and follow-up of reconciling 
items. Alternatively, an entity may use automated procedures to initiate, 
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record, process, and report transactions, in which case records in electronic 
format replace paper documents. 

(2) Controls in IT systems consist of a combination of automated controls (for 
example, controls embedded in computer programs) and manual controls. 
Further, manual controls may be independent of IT, may use information 
produced by IT, or may be limited to monitoring the effective functioning of IT 
and of automated controls, and to handling exceptions. 

(ii) Use of IT: An entity’s mix of manual and automated elements in internal control 

varies with the nature and complexity of the entity’s use of IT. 

(Hi) Generally, IT benefits an entity’s internal control by enabling an entity to: 

♦ Consistently apply predefined business rules and perform complex 
calculations in processing large volumes of transactions or data; 

♦ Enhance the timeliness, availability, and accuracy of information; 

♦ Facilitate the additional analysis of information; 

♦ Enhance the ability to monitor the performance of the entity’s activities and its 
policies and procedures; 

♦ Reduce the risk that controls will be circumvented; and 

♦ Enhance the ability to achieve effective segregation of duties by implementing 
security controls in applications, databases, and operating systems. 

(iv) IT also poses specific risks to an entity’s internal control, including, for example: 

♦ Reliance on systems or programs that are inaccurately processing data, 
processing inaccurate data, or both. 

♦ Unauthorised access to data that may result in destruction of data or improper 
changes to data, including the recording of unauthorised or non-existent 
transactions, or inaccurate recording of transactions. Particular risks may 
arise where multiple users access a common database. 

♦ The possibility of IT personnel gaining access privileges beyond those 
necessary to perform their assigned duties thereby breaking down 
segregation of duties. 

♦ Unauthorised changes to data in master files. 

♦ Unauthorised changes to systems or programs. 

♦ Failure to make necessary changes to systems or programs. 

♦ Inappropriate manual intervention. 

♦ Potential loss of data or inability to access data as required. 
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(v) Suitability: Manual elements in internal control may be more suitable where 
judgment and discretion are required. 

(vi) Reliability: Manual elements in internal control may be less reliable than automated 
elements because they can be more easily bypassed, ignored, or overridden and 
they are also more prone to simple errors and mistakes. Consistency of application 
of a manual control element cannot therefore be assumed. 

(vii) Nature of Entity’s Information System: The extent and nature of the risks to internal 
control vary depending on the nature and characteristics of the entity’s information 
system. The entity responds to the risks arising from the use of IT or from use of 
manual elements in internal control by establishing effective controls in light of the 
characteristics of the entity’s information system. 

Controls Relevant to the Audit: There is a direct relationship between an entity’s objectives 
and the controls it implements to provide reasonable assurance about their achievement. The 
entity’s objectives, and therefore controls, relate to financial reporting, operations and 
compliance; however, not all of these objectives and controls are relevant to the auditor’s risk 
assessment. 

(i) Factors relevant to the auditor’s judgment about whether a control, individually or in 
combination with others, is relevant to the audit may include such matters as the following: 

♦ Materiality. 

♦ The significance of the related risk. 

♦ The size of the entity. 

♦ The nature of the entity’s business, including its organisation and ownership 
characteristics. 

♦ The diversity and complexity of the entity’s operations. 

♦ Applicable legal and regulatory requirements. 

♦ The circumstances and the applicable component of internal control. 

♦ The nature and complexity of the systems that are part of the entity’s internal control, 
including the use of service organisations. 

♦ Whether, and how, a specific control, individually or in combination with others, prevents, 
or detects and corrects, material misstatement. 

(ii) Controls over the completeness and accuracy of information produced by the entity may 
be relevant to the audit. 

(iii) Internal control over safeguarding of assets against unauthorised acquisition, use, or 
disposition may include controls relating to both financial reporting and operations objectives. 
The auditor’s consideration of such controls is generally limited to those relevant to the 
reliability of financial reporting. 
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(iv) An entity generally has controls relating to objectives that are not relevant to an audit and 
therefore need not be considered. 

(v) In certain circumstances, the statute or the regulation governing the entity may require 
the auditor to report on compliance with certain specific aspects of internal controls as a 
result, the auditor’s review of internal control may be broader and more detailed. 

Nature and Extent of the Understanding of Relevant Controls: 

(i) Evaluating the design of a control involves considering whether the control, 
individually or in combination with other controls, is capable of effectively 
preventing, or detecting and correcting, material misstatements. 

An improperly designed control may represent a significant deficiency in internal 
control. 

(ii) Risk assessment procedures to obtain audit evidence about the design and 
implementation of relevant controls may include- 

♦ Inquiring of entity personnel. 

♦ Observing the application of specific controls. 

♦ Inspecting documents and reports. 

♦ Tracing transactions through the information system relevant to financial 
reporting. 

Inquiry alone, however, is not sufficient for such purposes. 

(Hi) Obtaining an understanding of an entity’s controls is not sufficient to test their 
operating effectiveness, unless there is some automation that provides for the 
consistent operation of the controls. 

Control Environment: The auditor shall obtain an understanding of the control 
environment. As part of obtaining this understanding, the auditor shall evaluate 
whether- 

(i) Management, with the oversight of those charged with governance, has created 
and maintained a culture of honesty and ethical behavior; and 

(ii) The strengths in the control environment elements collectively provide an 
appropriate foundation for the other components of internal control, and whether 
those other components are not undermined by deficiencies in the control 
environment. 

The control environment includes the governance and management functions and the 
attitudes, awareness, and actions of those charged with governance and management 
concerning the entity’s internal control and its importance in the entity. The control 
environment sets the tone of an organization, influencing the control consciousness of its 
people. 
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Elements of the control environment that may be relevant when obtaining an understanding of 
the control environment include the following: 

(i) Communication and enforcement of integrity and ethical values - These are essential 
elements that influence the effectiveness of the design, administration and monitoring of 
controls. 

(ii) Commitment to competence - Matters such as management’s consideration of the 
competence levels for particular jobs and how those levels translate into requisite skills 
and knowledge. 

(iii) Participation by those charged with governance - Attributes of those charged with 
governance such as: 

♦ Their independence from management. 

♦ Their experience and stature. 

♦ The extent of their involvement and the information they receive, and the scrutiny of 
activities. 

♦ The appropriateness of their actions, including the degree to which difficult 
questions are raised and pursued with management, and their interaction with 
internal and external auditors. 

(iv) Management’s philosophy and operating style - Characteristics such as management’s: 

♦ Approach to taking and managing business risks. 

♦ Attitudes and actions toward financial reporting. 

♦ Attitudes toward information processing and accounting functions and personnel. 

(v) Organisational structure - The framework within which an entity’s activities for achieving 
its objectives are planned, executed, controlled, and reviewed. 

(vi) Assignment of authority and responsibility - Matters such as how authority and 
responsibility for operating activities are assigned and how reporting relationships and 
authorisation hierarchies are established. 

(vii) Human resource policies and practices - Policies and practices that relate to, for 
example, recruitment, orientation, training, evaluation, counselling, promotion, 
compensation, and remedial actions. 

Satisfactory Control Environment - not an absolute deterrent to fraud: The existence of 
a satisfactory control environment can be a positive factor when the auditor assesses 
the risks of material misstatement. However, although it may help reduce the risk of 
fraud, a satisfactory control environment is not an absolute deterrent to fraud. 
Conversely, deficiencies in the control environment may undermine the effectiveness of 
controls, in particular in relation to fraud. For example, management’s failure to commit 
sufficient resources to address IT security risks may adversely affect internal control by 


© The Institute of Chartered Accountants of India 




Internal Control 4.10 


allowing improper changes to be made to computer programs or to data, or 
unauthorized transactions to be processed. As explained in SA 330, the control 
environment also influences the nature, timing, and extent of the auditor’s further 
procedures. 

The control environment in itself does not prevent, or detect and correct, a material 
misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of 
other controls (for example, the monitoring of controls and the operation of specific 
control activities) and thereby, the auditor’s assessment of the risks of material 
misstatement. 

Monitoring of Controls: The auditor shall obtain an understanding of the major activities 
that the entity uses to monitor internal control over financial reporting, including those 
related to those control activities relevant to the audit, and how the entity initiates 
remedial actions to deficiencies in its controls. 

Monitoring of controls is a process to assess the effectiveness of internal control 
performance over time. It involves assessing the effectiveness of controls on a timely 
basis and taking necessary remedial actions. Management accomplishes monitoring of 
controls through ongoing activities, separate evaluations, or a combination of the two. 
Ongoing monitoring activities are often built into the normal recurring activities of an 
entity and include regular management and supervisory activities. 

Management’s monitoring activities may include using information from 
communications from external parties such as customer complaints and regulator 
comments that may indicate problems or highlight areas in need of improvement. 

In case of small entities, management’s monitoring of control is often accomplished by 
management’s or the owner-manager’s close involvement in operations. This 
involvement often will identify significant variances from expectations and inaccuracies 
in financial data leading to remedial action to the control. 

4.3 Accounting and Financial Control 

Internal control, so far as financial and accounting aspects are concerned, aims at: 

(i) Providing the flow of work through various stages. 

(ii) Breaking the chain of the work in a manner so that no single person can handle a 
transaction from the beginning to the end. 

(iii) Segregation of accounting and custodial functions. 

(iv) Securing proper documentation at each stage. 

(v) Specifying authority to enter into the various transactions and for every action connected 
therewith. 

(vi) Recording the transactions in the books of account correctly. 

(vii) Safeguarding of assets. 
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(viii) Making errors and frauds difficult. 

(ix) Fixing responsibility for the work and the responsibility for deviations. 

(x) Building up a system to locate the deviations and departures from the prescribed 
procedures and to detect frauds and errors automatically without much loss of time. 

(xi) Elimination of conflicting responsibilities. 

(xii) Evolving standardised records. 

(xiii) Providing account charts and the accounting manual. 

(xiv) Preparation of periodical accounting and financial report. 

(xv) Making the work simpler as far as practicable. 

(xvi) Minimising loss and wastage. 

(xvii) Encouraging employees to do willing and good work. 

(xviii) Discouraging employees from non-compliance with the prescribed procedures. 

(xix) Appraisal of the operations. 

(xx) Employment of persons of quality. 

(xxi) Formulating a cut-off procedure to separate transactions of two consecutive years. 

4.4 Internal Control and Management 

Before any discussion on the effect of internal control on the auditor’s work is undertaken it is 
necessary to appreciate that devising and installation of internal control is the responsibility of the 
management. In any business, the management is vested with the responsibility of carrying on the 
business, safeguarding its assets and recording the transactions in the books of account and other 
records. The management is responsible for maintaining an adequate accounting system 
incorporating various internal controls to the extent appropriate to the size and nature of the 
business”. It should also be appreciated that in every business organisation, small or big, simple or 
complex, some sort of control is perceptively or otherwise in operation. It ensures uniform 
treatment and operation. It outlines the broad line of authority and specifies each one’s task. The 
form and details, however, may vary from organisation to organisation. It is also important to bear 
in mind that the system installed needs review by the management to ascertain: 

(i) whether the prescribed management policies are being properly interpreted by the 
employees and are faithfully implemented; 

(ii) whether the prescribed procedures need a revision because of changed circumstances 
or whether they have become obsolete or cumbersome; and 

(iii) whether effective corrective measures are taken promptly when the system appears to 
break down. 

It is desirable that the management also installs an internal audit system as an independent 
function to check, amongst other things, the actual operation of the internal control system and 
report to it the deviations and non-compliances. 
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4.5 Internal Control and the Auditor 

The auditor shall determine whether, on the basis of the audit work performed, the auditor has 
identified one or more deficiencies in internal control. 

If the auditor has identified one or more deficiencies in internal control, the auditor shall 
determine, on the basis of the audit work performed, whether, individually or in combination, 
they constitute significant deficiencies. 

The auditor shall communicate in writing significant deficiencies in internal control identified 
during the audit to those charged with governance on a timely basis. 

The auditor shall also communicate to management at an appropriate level of responsibility on 
a timely basis: 

(a) In writing, significant deficiencies in internal control that the auditor has communicated or 
intends to communicate to those charged with governance, unless it would be 
inappropriate to communicate directly to management in the circumstances; and 

(b) Other deficiencies in internal control identified during the audit that have not been 
communicated to management by other parties and that, in the auditor’s professional 
judgment, are of sufficient importance to merit management’s attention. 

The auditor shall include in the written communication of significant deficiencies in internal 
control: 

(a) A description of the deficiencies and an explanation of their potential effects; and 

(b) Sufficient information to enable those charged with governance and management to 
understand the context of the communication. In particular, the auditor shall explain that: 

(i) The purpose of the audit was for the auditor to express an opinion on the financial 
statements; 

(ii) The audit included consideration of internal control relevant to the preparation of the 
financial statements in order to design audit procedures that are appropriate in the 
circumstances, but not for the purpose of expressing an opinion on the 
effectiveness of internal control; and 

(iii) The matters being reported are limited to those deficiencies that the auditor has 

identified during the audit and that the auditor has concluded are of sufficient 
importance to merit being reported to those charged with governance. 

4.6 Review of Internal Control by the Auditor 

So far as the auditor is concerned, the examination and evaluation of the internal control 
system is an indispensable part of the overall audit programme. The auditor needs reasonable 
assurance that the accounting system is adequate and that all the accounting information 
which should be recorded has in fact been recorded. Internal control normally contributes to 


© The Institute of Chartered Accountants of India 








4.13 Auditing and Assurance 


such assurance. The auditor should gain an understanding of the accounting system and 
related internal controls and should study and evaluate the operations of these internal 
controls upon which he wishes to rely in determining the nature, timing and extent of other 
audit procedures. The review of internal controls will enable the auditor to know: 

(i) whether errors and frauds are likely to be located in the ordinary course of operations of 
the business; 

(ii) whether an adequate internal control system is in use and operating as planned by the 
management; 

(iii) whether an effective internal auditing department is operating; 

(iv) whether any administrative control has a bearing on his work (for example, if the control 
over worker recruitment and enrolment is weak, there is a likelihood of dummy names 
being included in the wages sheet and this is relevant for the auditor); 

(v) whether the controls adequately safeguard the assets; 

(vi) how far and how adequately the management is discharging its function in so far as 
correct recording of transactions is concerned; 

(vii) how reliable the reports, records and the certificates to the management can be; 

(viii) the extent and the depth of the examination that he needs to carry out in the different 
areas of accounting; 

(ix) what would be appropriate audit technique and the audit procedure in the given 
circumstances; 

(x) what are the areas where control is weak and where it is excessive; and 

(xi) whether some worthwhile suggestions can be given to improve the control system. 

The auditor can formulate his entire audit programme only after he has had a satisfactory 
understanding of the internal control systems and their actual operation. If he does not care to 
study this aspect, it is very likely that his audit programme may become unwieldy and 
unnecessarily heavy and the object of the audit may be altogether lost in the mass of entries 
and vouchers. It is also important for him to know whether the system is actually in operation. 
Often, after installation of a system, no proper follow up is there by the management to ensure 
compliance. The auditor, in such circumstances, may be led to believe that a system is in 
operation which in reality may not be altogether in operation or may at best operate only 
partially. This state of affairs is probably the worst that an auditor may come across and he 
would be in the midst of confusion, if he does not take care. 

It would be better if the auditor can undertake the review of the internal control system of 
client. This will give him enough time to assimilate the controls and implications and will 
enable him to be more objective in the framing of the audit programme. He will also be in a 
position to bring to the notice of the management the weaknesses of the system and to 
suggest measures for improvement. At a further interim date or in the course of the audit, he 
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may ascertain how far the weaknesses have been removed. 

From the foregoing, it can be concluded that the extent and the nature of the audit programme 
is substantially influenced by the internal control system in operation. In deciding upon a plan 
of test checking, the existence and operation of internal control system is of great significance. 

A proper understanding of the internal control system in its content and working also enables 
an auditor to decide upon the appropriate audit procedure to be applied in different areas to be 
covered in the audit programme. In a situation where the internal controls are considered 
weak in some areas, the auditor might choose an auditing procedure or test that otherwise 
might not be required; he might extend certain tests to cover a large number of transactions or 
other items than he otherwise would examine and at times he may perform additional tests to 
bring him the necessary satisfaction. For example, normally the distribution of wages is not 
observed by the auditor. But if the internal control over wages is so weak that there exists a 
possibility of dummy workers being paid, the auditor might include observation of wages 
distribution in his programme in order to find out the workers who do not turn up for receipt of 
wages. On the other hand, if he is satisfied with the internal control on sales and trade 
receivables, the auditor can get trade receivables’ balances confirmed at almost any time 
reasonably close to the balance sheet date. But if the control is weak, he may feel that he 
should get the confirmation exactly on the date of the year closing so that he may eliminate 
the risk of errors and frauds occurring between the intervening period. Also, he may in that 
situation, decide to have a large coverage of trade receivables by the confirmation procedure. 

A review of the internal control can be done by a process of study, examination and evaluation 
of the control system installed by the management. The first step involves determination of the 
control and procedures laid down by the management. By reading company manuals, studying 
organisation charts and flow charts and by making suitable enquiries from the officers and 
employees, the auditor may ascertain the character, scope and efficacy of the control system. 
To acquaint himself about how all the accounting information is collected and processed and 
to learn the nature of controls that makes the information reliable and protect the company’s 
assets, calls for considerable skill and knowledge. In many cases, very little of this information 
is available in writing; the auditor must ask the right people the right questions if he is to get 
the information he wants. It would be better if he makes written notes of the relevant 
information and procedures contained in the manual or ascertained on enquiry. 

To facilitate the accumulation of the information necessary for the proper review and 
evaluation of internal controls, the auditor can use one of the following to help him to know 
and assimilate the system and evaluate the same: 

(i) Narrative record; 

(ii) Check List; 

(iii) Questionnaire; and 

(iv) Flow chart. 
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4.6.1 The Narrative Record: This is a complete and exhaustive description of the system as 
found in operation by the auditor. Actual testing and observation are necessary before such a 
record can be developed. It may be recommended in cases where no formal control system is 
in operation and would be more suited to small business. The basic disadvantages of narrative 
records are: 

(i) To comprehend the system in operation is quite difficult. 

(ii) To identify weaknesses or gaps in the system. 

(iii) To incorporate changes arising on account of reshuffling of manpower, etc. 

4.6.2 A Check List: This is a series of instructions and/or questions which a member of the 
auditing staff must follow and/or answer. When he completes instruction, he initials the space 
against the instruction. Answers to the check list instructions are usually Yes, No or Not 
Applicable. This is again an on the job requirement and instructions are framed having regard 
to the desirable elements of control. A few examples of check list instructions are given 
hereunder: 

1 . Are tenders called before placing orders? 

2. Are the purchases made on the basis of a written order? 

3. Is the purchase order form standardised? 

4. Are purchase order forms pre-numbered? 

5. Are the inventory control accounts maintained by persons who have nothing to do with: 

(i) custody of work; 

(ii) receipt of inventory; 

(iii) inspection of inventory; and 

(iv) purchase of inventory? 

The complete check list is studied by the Principal/Manager/Senior to ascertain existence of 
internal control and evaluate its implementation and efficiency. 

4.6.3 Internal Control Questionnaire: This is a comprehensive series of questions 
concerning internal control. This is the most widely used form for collecting information about 
the existence, operation and efficiency of internal control in an organisation. 
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An important advantage of the questionnaire approach is that oversight or omission of 
significant internal control review procedures is less likely to occur with this method. With a 
proper questionnaire, all internal control evaluation can be completed at one time or in 
sections. The review can more easily be made on an interim basis. The questionnaire form 
also provides an orderly means of disclosing control defects. It is the general practice to 
review the internal control system annually and record the review in detail. In the 
questionnaire, generally questions are so framed that a ‘Yes’ answer denotes satisfactory 
position and a ‘No’ answer suggests weakness. Provision is made for an explanation or further 
details of ‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ 
reply is given. 

The questionnaire is usually issued to the client and the client is requested to get it filled by 
the concerned executives and employees. If on a perusal of the answers, inconsistencies or 
apparent incongruities are noticed, the matter is further discussed by auditor’s staff with the 
client’s employees for a clear picture. The concerned auditor then prepares a report of defi- 
ciencies and recommendations for improvement. 

4.6.4 A Flow Chart: It is a graphic presentation of each part of the company’s system of 
internal control. A flow chart is considered to be the most concise way of recording the 
auditor’s review of the system. It minimises the amount of narrative explanation and thereby 
achieves a consideration or presentation not possible in any other form. It gives bird’s eye 
view of the system and the flow of transactions and integration and in documentation, can be 
easily spotted and improvements can be suggested. 

It is also necessary for the auditor to study the significant features of the business carried on 
by the concern; the nature of its activities and various channels of goods and materials as well 
as cash, both inward and outward; and also a comprehensive study of the entire process of 
manufacturing, trading and administration. This will help him to understand and evaluate the 
internal controls in the correct perspective. 

4.7 Testing of Internal Control 

After assimilating the internal control system, the auditor needs to examine whether and how 
far the same is actually in operation. For this, he resorts to actual testing of the system in 
operation. This he does on a selective basis: he can plan this testing in such a manner that all 
the important areas are covered in a period of, say, three years. Selective testing is being 
done by application of procedural tests and auditing in depth. 

Tests of Control: Tests of control are performed to obtain audit evidence about the 
effectiveness of the: 

(a) design of the accounting and internal control systems, that is, whether they are suitably 
designed to prevent or detect and correct material misstatements; and 

(b) operation of the internal controls throughout the period. 
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Tests of control include tests of elements of the control environment where strengths in the 
control environment are used by auditors to reduce control risk. 

Some of the procedures performed to obtain the understanding of the accounting and internal 
control systems may not have been specifically planned as tests of control but may provide 
audit evidence about the effectiveness of the design and operation of internal controls relevant 
to certain assertions and, consequently, serve as tests of control. For example, in obtaining 
the understanding of the accounting and internal control systems pertaining to cash, the 
auditor may have obtained audit evidence about the effectiveness of the bank reconciliation 
process through inquiry and observation. 

When the auditor concludes that procedures performed to obtain the understanding of the 
accounting and internal control systems also provide audit evidence about the suitability of 
design and operating effectiveness of policies and procedures relevant to a particular financial 
statement assertion, the auditor may use that audit evidence, provided it is sufficient to 
support a control risk assessment at less than a high level. 

Tests of control may include: 

> Inspection of documents supporting transactions and other events to gain audit evidence 
that internal controls have operated properly, for example, verifying that a transaction 
has been authorised. 

> Inquiries about, and observation of, internal controls which leave no audit trail, for 
example, determining who actually performs each function and not merely who is 
supposed to perform it. 

> Re-performance of internal controls, for example, reconciliation of bank accounts, to 
ensure they were correctly performed by the entity. 

> Testing of internal control operating on specific computerised applications or over the 
overall information technology function, for example, access or program change controls. 

While obtaining audit evidence about the effective operation of internal controls, the auditor 
considers how they were applied, the consistency with which they were applied during the 
period and by whom they were applied. The concept of effective operation recognises that 
some deviations may have occurred. Deviations from prescribed controls may be caused by 
such factors as changes in key personnel, significant seasonal fluctuations in volume of 
transactions and human error. When deviations are detected the auditor makes specific 
inquiries regarding these matters, particularly, the timing of staff changes in key internal 
control functions. The auditor then ensures that the tests of control appropriately cover such a 
period of change or fluctuation. 

Based on the results of the tests of control, the auditor should evaluate whether the internal 
controls are designed and operating as contemplated in the preliminary assessment of control 
risk. The evaluation of deviations may result in the auditor concluding that the assessed level 
of control risk needs to be revised. In such cases, the auditor would modify the nature, timing 
and extent of planned substantive procedures. 
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Before the conclusion of the audit, based on the results of substantive procedures and other 
audit evidence obtained by the auditor, the auditor should consider whether the assessment of 
control risk is confirmed. In case of deviations from the prescribed accounting and internal 
control systems, the auditor would make specific inquiries to consider their implications. 
Where, on the basis of such inquiries, the auditor concludes that the deviations are such that 
the preliminary assessment of control risk is not supported, he would amend the same unless 
the audit evidence obtained from other tests of control supports that assessment. Where the 
auditor concludes that the assessed level of control risk needs to be revised, he would modify 
the nature, timing and extent of his planned substantive procedures. 

It has been suggested that actual operation of the internal control should be tested by the 
application of procedural tests and examination in depth. Procedural tests simply mean testing 
of the compliance with the procedures laid down by the management in respect of initiation, 
authorisation, recording and documentation of transaction at each stage through which it 
flows. For example, the procedure for sales requires the following: 

(i) Before acceptance of any order the position of inventory of the relevant article should be 
known to ascertain whether the order can be executed in time. 

(ii) An advice under the authorisation of the sales manager should be sent to the party 
placing the order, internal reference number, and the acceptance of the order. This 
advice should be prepared on a standardised form and copy thereof should be forwarded 
to inventory section to enable it to prepare for the execution of the order in time. 

(iii) The credit period allowed to the party should be the normal credit period. For any special 
credit period a special authorisation of the sales manager would be necessary. 

(iv) The rate at which the order has been accepted and other terms about transport, 
insurance, etc., should be clearly specified. 

(v) Before deciding upon the credit period, a reference should be made to the credit section 
to know the creditworthiness of the party and particularly whether the party has honoured 
its commitments in the past. 

An auditor testing the internal controls on sales should invariably test whether any of the 
aforesaid procedures have been omitted. If credit has actually been granted without a 
reference to the credit section to know the creditworthiness of the party, it is possible that the 
amount may prove bad because of the financial crisis or deadlock in the management of the 
party, a fact which could have been easily gathered from the credit section. Similarly, if an 
order is received without a reference to the inventory section, it is likely due to non-availability 
of the inventory on the stipulated date; execution of the order may be delayed and the 
company may have to compensate the buyer for the damages suffered by him. 


4.8 Examination in Depth 

It implies examination of a few selected transactions from the beginning to the end through the 
entire flow of the transaction, i.e. , from initiation to the completion of the transaction by receipt 
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of payment of cash and delivery or receipt of the goods. This examination consists of studying 
the recording of transactions at the various stages through which they have passed. At each 
stage, relevant records and authorities are examined; it is also judged whether the person who 
has exercised the authority in relation to the transactions is fit to do so in terms of the 
prescribed procedure. For example, if payment to a creditor is to be verified “in depth’’, it 
would be necessary to examine the following documents: 

(a) The invoice and statement of account received from the supplier. 

(b) The entry in the inventory record showing that the goods were received. 

(c) The Goods Received Note and Inspection Certificate showing that the goods on receipt 
were verified and inspected. 

(d) The copy of the original order and authority showing that the goods in fact were ordered 
by an authority which was competent to do so. 

It is to be emphasised that, so far as the management is concerned, the internal control 
should have willing acceptance at the hands of the employees and there should exist proper 
mechanism for such motivation. 

4.9 Relationship between the Assessments of Inherent and Control 
Risks 

Management often reacts to inherent risk situations by designing accounting and internal 
control systems to prevent or detect and correct misstatements and therefore, in many cases, 
inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts 
to assess inherent and control risks separately, there is a possibility of inappropriate risk 
assessment. As a result, audit risk may be more appropriately determined in such situations 
by making a combined assessment. 

The level of detection risk relates directly to the auditor's substantive procedures. The 
auditor's control risk assessment, together with the inherent risk assessment, influences the 
nature, timing and extent of substantive procedures to be performed to reduce detection risk, 
and therefore audit risk, to an acceptably low level. Some detection risk would always be 
present even if an auditor was to examine 100 percent of the account balances or class of 
transactions because, for example, most audit evidence is persuasive rather than conclusive. 

The auditor should consider the assessed levels of inherent and control risks in determining 
the nature, timing and extent of substantive procedures required to reduce audit risk to an 
acceptably low level. In this regard the auditor would consider: 

(a) the nature of substantive procedures, for example, using tests directed toward 
independent parties outside the entity rather than tests directed toward parties or 
documentation within the entity, or using tests of details for a particular audit objective in 
addition to analytical procedures; 
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(b) the timing of substantive procedures, for example, performing them at period end rather 
than at an earlier date; and 

(c) the extent of substantive procedures, for example, using a larger sample size. 

There is an inverse relationship between detection risks and the combined level of inherent 
and control risks. For example, when inherent and control risks are high, acceptable detection 
risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when 
inherent and control risks are low, an auditor can accept a higher detection risk and still 
reduce audit risk to an acceptably low level. 

While tests of control and substantive procedures are distinguishable as to their purpose, the 
results of either type of procedure may contribute to the purpose of the other. Misstatements 
discovered in conducting substantive procedures may cause the auditor to modify the previous 
assessment of control risk. 

The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the 
need for the auditor to perform any substantive procedures. Regardless of the assessed 
levels of inherent and control risks, the auditor should perform some substantive procedures 
for material account balances and classes of transactions. 

The auditor's assessment of the components of audit risk may change during the course of an 
audit, for example, information may come to the auditor's attention when performing 
substantive procedures that differs significantly from the information on which the auditor 
originally assessed inherent and control risks. In such cases, the auditor would modify the 
planned substantive procedures based on a revision of the assessed levels of inherent and 
control risks. 

The higher the assessment of inherent and control risks, the more audit evidence the auditor 
should obtain from the performance of substantive procedures. When both inherent and 
control risks are assessed as high, the auditor needs to consider whether substantive 
procedures can provide sufficient appropriate audit evidence to reduce detection risk, and 
therefore audit risk, to an acceptably low level. When the auditor determines that detection 
risk regarding a financial statement assertion for a material account balance or class of 
transactions cannot be reduced to an acceptable level, the auditor should express a qualified 
opinion or a disclaimer of opinion as may be appropriate. 

4.10 Communication of Weaknesses in Internal Control 

As a result of obtaining an understanding of the accounting and internal control systems and 
tests of control, the auditor may become aware of weaknesses in the systems. The auditor 
should make management aware, as soon as practical and at an appropriate level of 
responsibility, of material weaknesses in the design or operation of the accounting and internal 
control systems, which have come to the auditor's attention. The communication to 
management of material weaknesses would ordinarily be in writing. However, if the auditor 
judges that oral communication is appropriate, such communication would be documented in 
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the audit working papers. It is important to indicate in the communication that only 
weaknesses which have come to the auditor's attention as a result of the audit have been 
reported and that the examination has not been designed to determine the adequacy of 
internal control for management purposes. 

4.11 Internal Control in the Small Business 

The auditor needs to obtain the same degree of assurance in order to give an unqualified 
opinion on the financial statements of both small and large entities. However, many controls 
which would be relevant to large entities are not practical in the small business. For example, 
in small business, accounting work may be performed by only a few persons. These persons 
may have both operating and custodial responsibilities, and segregation of functions may be 
missing or severely limited. Inadequate segregation of duties may, in some cases, be offset by 
owner/manager supervisory controls which may exist because of direct personal knowledge of 
the business and involvement in the business transactions. In circumstances where 
segregation of duties is limited or evidence of supervisory controls is lacking, the evidence 
necessary to support the auditor’s opinion on the financial information may have to be 
obtained largely through the performance of substantive procedures. 

4.12 Internal Control and the Computerised Information System (CIS) 
Environment 

The principal object of an audit is to ensure that the accounts on which the auditor is reporting 
to show a true and fair view of the state of affairs at a given date and of the results for the 
period ended on that date. The essential features of an audit, appropriate for medium or large 
sized concern, are: 

(a) an evaluation of the system of accounting and internal control to ascertain whether they 
are appropriate for the business and properly record all transactions; 

(b) the making of such tests and enquiries as are considered necessary to determine 
whether the systems are being operated correctly; 

(c) an examination of the accounts in order to verify: 

(i) the title, existence and value of the assets appearing in the balance sheet and to 
verify that all liabilities are correctly included therein; 

(ii) that the results shown by the profit and loss account are fairly stated; 

and to ensure that such accounts are in accordance with the underlying records and comply 
with the appropriate statutory requirements. 

The overall objective and scope of an audit does not change in CIS environment. However, 
the use of a computer changes the processing and storage of financial information and may 
affect the organization and procedures employed by the entity to achieve adequate internal 
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control. Accordingly, the procedures followed by the auditor in his study and evaluation of the 
accounting system and related internal controls and nature, timing and extent of his other 
audit procedures may be affected by CIS environment. 

Skills and Competence: When auditing in CIS environment, the auditor should have an 
understanding of computer hardware, software and processing systems sufficient to plan the 
engagement and to understand how CIS affects the study and evaluation of internal control 
and application of auditing procedures including computer-assisted audit techniques. The 
auditor should also have sufficient knowledge of CIS to implement the auditing procedures, 
depending on the particular audit approach adopted. 

Work Performed by Others: The auditor is never able to delegate his responsibility for 
forming important audit conclusions or for forming and expressing his opinion on the financial 
information. Accordingly, when he delegates work to assistants or uses work performed by 
other auditors or experts, the auditor should have sufficient knowledge of CIS to direct, 
supervise and review the work of assistants with CIS skills or to obtain reasonable assurance 
that the work performed by other auditors or experts with CIS skills is adequate for his 
purpose, as applicable. 

Planning: The auditor should gather information about the CIS environment that is relevant to 
the audit plan, including information as to: 

> How the CIS function is organized and the extent of concentration or distribution of 
computer processing throughout the entity. 

> The computer hardware and software used by the entity. 

> Each significant application processed by the computer, the nature of the processing 
(e.g. batch, on-line), and data retention policies. 

> Planned implementation of new applications or revisions to existing applications. 

> When considering his overall plan the auditor should consider matters, such as: 

• Determining the degree of reliance, if any, he expects to be able to place on the CIS 
controls in his overall evaluation of internal control. 

• Planning how, where and when the CIS function will be reviewed including 
scheduling the works of CIS experts, as applicable. 

• Planning auditing procedures using computer-assisted audit techniques. 

Accounting System and Internal Control: During the review and preliminary evaluation of 
internal control, the auditor should acquire knowledge of the accounting system to gain an 
understanding of the overall control environment and the flow of transactions. If the auditor 
plans to rely on internal controls in conducting his audit, he should consider the manual and 
computer controls affecting the CIS function (general CIS controls) and the specific controls 
over the relevant accounting applications (CIS application controls). 
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Audit Evidence: A CIS environment may affect the application of compliance and substantive 
procedures in several ways. 

The use of computer assisted audit techniques may be required because: 

> The absence of input documents (e.g. order entry in on-line systems) or the generation of 
accounting transactions by computer programs (e.g. automatic calculation of discounts) 
may preclude the auditor from examining documentary evidence. 

> The lack of a visible audit trail will preclude the auditor from visually following 
transactions through the computerized accounting system. 

> The lack of visible output may necessitate access to data retained on files readable only 
by the computer. 

The timing of auditing procedures may be affected because data may not be retained in 
computer files for a sufficient length of time for audit use, and the auditor may have to make 
specific arrangements to have it retained or copied. 

The effectiveness and efficiency of auditing procedures may be improved through the use of 
computer-assisted audit techniques in obtaining and evaluating audit evidence, for example: 

(i) Some transactions may be tested more effectively for a similar level of cost by using the 
computer to examine all or a greater number of transactions than would otherwise be 
selected. 

(ii) In applying analytical review procedures, transactions or balance details may be 
reviewed and reports printed of unusual items more efficiently by using the computer 
than by manual methods. 

4.12.1 Organizational Structure in the CIS Environment: In a CIS environment, an 
entity will establish an organizational structure and procedures to manage the CIS activities. 
Characteristics of a CIS organizational structure include- 

(a) Concentration of functions and knowledge— although most systems employing CIS 
methods will include certain manual operations, generally the number of persons 
involved in the processing of financial information is significantly reduced. Furthermore, 
certain data processing personnel may be the only ones with a detailed knowledge of the 
interrelationship between the source of data, how it is processed and the distribution and 
use of the output. It is also likely that they are aware of any internal control weaknesses 
and, therefore, may be in a position to alter programs or data while stored or during 
processing. Moreover, many conventional controls based on adequate segregation of 
incompatible functions may not exist, or in the absence of access and other controls, may 
be less effective. 

(b) Concentration of programs and data— transaction and master file data are often 
concentrated, usually in machine-readable form, either in one computer installation 
located centrally or in a number of installations distributed throughout an entity. 
Computer programs which provide the ability to obtain access to and alter such data are 
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likely to be stored at the same location as the data. Therefore, in the absence of 
appropriate controls, there is an increased potential for unauthorized access to, and 
alteration of, programs and data. 

Nature of Processing: The use of computers may result in the design of systems that provide 
less visible evidence than those using manual procedures. In addition, these systems may be 
accessible by a larger number of persons. System characteristics that may result from the 
nature of CIS processing include: 

(a) Absence of input documents— data may be entered directly into the computer system 
without supporting documents. In some on-line transaction systems, written evidence of 
individual data entry authorization (e.g. approval for order entry) may be replaced by 
other procedures, such as authorization controls contained in computer programs (e.g. 
credit limit approval). 

(b) Lack of visible transaction trail— certain data may be maintained on computer files only. 
In a manual system, it is normally possible to follow a transaction through the system by 
examining source documents, books of account, records, files and reports. In a CIS 
environment, however, the transaction trail may be partly in machine-readable form, and 
furthermore it may exist only for a limited period of time. 

(c) Lack of visible output— certain transactions or results of processing may not be printed. 
In a manual system, and in some CIS systems, it is normally possible to examine visually 
the results of processing. In other CIS systems, the results of processing may not be 
printed, or only summary data may be printed. Thus, the lack of visible output may result 
in the need to access data retained on files readable only by the computer. 

(d) Ease of access to data and computer programs— data and computer programs may be 
accessed and altered at the computer or through the use of computer equipment at 
remote locations. Therefore, in the absence of appropriate controls, there is an increased 
potential for unauthorized access to, and alteration of, data and programs by persons 
inside or outside the entity. 

Design and Procedural Aspects: The development of CIS systems will generally result in 
design and procedural characteristics that are different from those found in manual systems. 
These different design and procedural aspects of CIS systems include: 

(a) Consistency of performance— CIS systems performed functions exactly as programmed 
and are potentially more reliable than manual systems, provided that all transaction types 
and conditions that could occur are anticipated and incorporated into the system. On the 
other hand, a computer program that is not correctly programmed and tested may 
consistently process transactions or other data erroneously. 

(b) Programmed control procedures— the nature of computer processing allows the design of 
internal control procedures in computer programs. These procedures can be designed to 
provide controls with limited visibility (e.g. protection of data against unauthorized access 
may be provided by passwords). Other procedures can be designed for use with manual 
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intervention, such as review of reports printed for exception and error reporting, and 
reasonableness and limit checks of data. 

(c) Single transaction update of multiple or data base computer files— a single input to the 
accounting system may automatically update all records associated with the transaction 
(e.g. shipment of goods documents may update the sales and customers’ accounts 
receivable files as well as the inventory file). Thus, an erroneous entry in such a system 
may create errors in various financial accounts. 

(d) Systems generated transactions— certain transactions may be initiated by the CIS 
system itself without the need for an input document. The authorization of such 
transactions may not be evidenced by visible input documentation nor documented in the 
same way as transactions which are initiated outside the CIS (e.g., interest may be 
calculated and charged automatically to customers’ account balances on the basis of 
pre-authorized teams contained in a computer program). 

(e) Vulnerability of data and program storage media— large volumes of data and the 
computer programs used to process such data may be stored on portable or fixed 
storage media, such as magnetic disks and tapes. These media are vulnerable to theft, 
or intentional or accidental destruction. 

4.12.2 Internal Controls in the CIS Environment: The internal controls over computer 
processing, which help to achieve the overall objectives of internal control, include both 
manual procedures and procedures designed into computer programs. Such manual and 
computer control procedures comprise the overall controls affecting the CIS environment 
(general CIS controls) and the specific controls over the accounting applications (CIS 
application controls). 

General CIS Controls: The purpose of general CIS controls is to establish a framework of 
overall control over the CIS activities and to provide a reasonable level of assurance that the 
overall objectives of internal control are achieved. 

General CIS controls may include: 

(a) Organization and management controls— designed to establish an organizational 
framework over CIS activities, including: 

■S Policies and procedures relating to control functions. 

-V Appropriate segregation of incompatible functions (e.g. preparation of input 
transactions, programming and computer operations). 

(b) Application systems development and maintenance controls— designed to provide 
reasonable assurance that systems are developed and maintained in an authorized and 
efficient manner. They also typically are designed to establish control over: 

S Testing, conversion, implementation and documentation of new or revised systems. 

■S Changes to application systems. 
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■S Access to systems documentation. 

S Acquisition of application systems from third parties. 

(c) Computer operation controls— designed to control the operation of the systems and to 
provide reasonable assurance that: 

S The systems are used for authorized purposes only. 

■S Access to computer operations is restricted to authorized personnel. 

■S Only authorized programs are used. 

S Processing errors are detected and corrected. 

(d) Systems software controls— designed to provide reasonable assurance that system 
software is acquired or developed in an authorized and efficient manner, including: 

•S Authorization, approval, testing, implementation and documentation of new systems 
software and systems software modifications. 

S Restriction of access to systems software and documentation to authorized 
personnel. 

(e) Data entry and program controls— designed to provide reasonable assurance that: 

S An authorization structure is established over transactions being entered into the 
system. 

■S Access to data and programs is restricted to authorized personnel. 

There are other CIS safeguards that contribute to the continuity of CIS processing. These may 
include: 

• Offsite back-up of data and computer programs. 

• Recovery procedures for use in the event of theft, loss or international or accidental 
destruction. 

• Provision for offsite processing in the event of disaster. 

CIS Application Controls: The purpose of CIS application controls is to establish specific 
control procedures over the accounting applications in order to provide reasonable assurance 
that all transactions are authorized and recorded, and are processed completely, accurately 
and on a timely basis. CIS application controls include: 

(A) Controls over input— designed to provide reasonable assurance that: 

■S Transactions are properly authorized before being processed by the computer. 

S Transactions are accurately converted into machine readable form and recorded in 
the computer data files. 

■S Transactions are not lost, added, duplicated or improperly changed. 

■S Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a 
timely basis. 
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(B) Controls over processing and computer data files— designed to provide reasonable 
assurance that: 

S Transactions, including system generated transactions, are properly processed by 
the computer. 

S Transactions are not lost, added, duplicated or improperly changed. 

■S Processing errors are identified and corrected on a timely basis. 

(C) Controls over output— designed to provide reasonable assurance that: 

S Results of processing are accurate. 

■S Access to output is restricted to authorized personnel. 

S Output is provided to appropriate authorized personnel on a timely basis. 

4.12.3 Review of Internal Controls: Review of General CIS Controls - The general CIS 
controls which the auditor may wish to test are described above. The auditor should consider how 
these general CIS controls affect the CIS applications significant to the audit. General CIS controls 
that relate to some or all applications are typically inter-dependent controls in their operation is 
often essential to the effectiveness of CIS application controls. Accordingly, it may be more efficient 
to review the design of the general controls before reviewing the application controls. 

Review of CIS Application Controls - Control over input, processing, data files and output 
may be carried out by CIS personnel, by users of the system, by a separate control group, or 
may be programmed into application software. CIS application controls which the auditor may 
wish to test include: 

(A) Manual controls exercised by the user— if manual controls exercised by the user of the 
application system are capable of providing reasonable assurance that the systems’ 
output is complete, accurate and authorized, the auditor may decide to limit tests of 
control to these manual controls (e.g. the manual controls exercised by the user over a 
computerized payroll system for salaried employees could include an anticipatory input 
control total for gross pay, the test checking of net salary output computations, the 
approval of the payments and transfer of funds, comparison to payroll register amounts, 
and prompt bank reconciliation). In this case, the auditor may wish to test only the 
manual controls exercised by the user. 

(B) Controls over system output— if, in addition to manual controls exercised by the user, the 
controls to be tested use information produced by the computer or are contained within 
computer programs, it may be possible to test such controls by examining the system’s 
output using either manual or computer-assisted audit techniques. Such output may be in 
the form of magnetic media, microfilm or printouts (e.g. the auditor may test controls 
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exercised by the entity over the reconciliation of report totals to the general ledger control 
accounts and may perform manual tests of those reconciliations). Alternatively, where the 
reconciliation is performed by computer, the auditor may wish to test the reconciliation by 
re-performing the control with the use of computer-assisted audit techniques. 

(C) Programmed control procedures— in the case of certain computer systems, the auditor 
may find that it is not possible or, in some cases, not practical to test controls by 
examining only user controls or the system’s output (e.g. in an application that does not 
provide printouts of critical approvals or overrides to normal policies, the auditor may 
want to test control procedures contained within the application program). The auditor 
may consider performing tests of control by using computer-assisted audit techniques, 
such as test data, reprocessing transactions data or, in unusual situations, examining the 
coding of the application program. 

Evaluation - The general CIS controls may have a pervasive effect on the processing of 
transactions in application systems. If these controls are not effective, there may be a risk that 
misstatements might occur and go undetected in the application systems. Thus, weaknesses 
in general CIS controls may preclude testing certain CIS application controls; however, 
manual procedures exercised by users may provide effective control at the application level. 

4.12.4 Approaches to Audit in CIS Environment: Changes in hardware and software 
have changed the conceptual approach to auditing. An early approach consisted of essentially 
ignoring the computer, treating it as a black box, and auditing around it. The increasing 
sophistication of computers, however, has since led to computers being used in two ways; (1) 
as a tool of the auditor aiding in the performance of the audit, such as printing confirmation 
requests, and (2) as the target of the audit where data are submitted to the computer and the 
results are analyzed for processing reliability and accuracy of the computer program. 

The auditor must plan whether to use the computer to assist the audit or whether to audit 
without using the computer. The two approaches are commonly called “auditing around the 
computer” and “auditing through the computer”. 

The work of an auditor would be hardly affected if “Audit Trail” is maintained i.e. if it were still 
possible to relate, on a ‘one-to-one’ basis, the original input with the final output. A simplified 
representation of the documentation is a manually created audit trail. 

From this Figure I the particular credit notes may be located by the auditor at any time he may 
wish to examine them, even months after the balance sheet date. He also has the means, 
should he so wish, of directly verifying the accuracy of the totals and sub-totals that feature in 
the control listing, by reference to individual credit notes. He can, of course, check all detailed 
calculations, casts and postings in the accounting records, at any time. 
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Diagram I Manually created audit trail 

In first and early second-generation computer systems, such a complete audit trail was generally 
available, no doubt, to management’s own healthy skepticism of what the new machine could be 
relied upon to achieve - an attitude obviously shared by the auditor. The documentation in such a 
trail might again be portrayed as shown, in an over-simplified way, in Figure I. 

It is once again clear from the diagram that there is an abundance of documentation upon 
which the auditor can use his traditional symbols of scrutiny, in the form of colored ticks and 
rubber stamps. Specifically: 

(1 ) The output itself is as complete and as detailed as in any manual system. 

(2) The trail, from beginning to end, is complete, so that all documents may be identified by 
locating for purposes of vouching, totalling and cross-referencing. 

Any form of audit checking is possible, including depth testing in either direction. 

The execution of normal audit tests on records which are produced by computer, but which are 
nevertheless as complete as indicated above, is usually described as audit testing round the 
machine. 

Auditing around the Computer - Auditing around the computer involves arriving at an audit 
opinion through examining the internal control system for a computer installation and the input 
and output only for application systems. On the basis of the quality of the input and output of 
the application system, the auditor infers the quality of the processing carried out. Application 
system processing is not examined directly. The auditor views the computer as a black box. 

The auditor can usually audit around the computer when either of the following situations 
applies to application systems existing in the installation: 

(1) The system is simple and batch oriented. 
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(2) The system uses generalized software that is well-tested and used widely by many 
installations. 

Sometimes batch computer systems are just an extension of manual systems. These systems 
have the following attributes: 

(1) The system logic is straightforward and there are no special routines resulting from the 
use of the computer to process data. 

(2) Input transactions are batched and control can be maintained through the normal 
methods, for example, separation of duties and management supervision. 

(3) Processing primarily consists of sorting the input data and updating the master file 
sequentially. 

(4) There is a clear audit trail and detailed reports are prepared at key processing points 
within the system. 

(5) The task environment is relatively constant and few stresses are placed on the system. 

For these well-defined systems, generalized software packages often are available. For 
example, software vendors have developed payroll, accounts receivable, and accounts 
payable packages. If these packages are provided by a reputable vendor, have received 
widespread use, and appear error-free, the auditor may decide not to test directly the 
processing aspects of the system. The auditor must ensure, however, that the installation has 
not modified the package in any way and that adequate controls exist, to prevent unauthorized 
modification of the package. 

Not all generalized software packages make application systems amenable to auditing around 
the computer. Some packages provide a set of generalized functions that still must be 
selected and combined to accomplish application system purposes. For example, database 
management system software may provide generalized update functions, but a high-level 
program still must be written to combine these functions in the required way. In this situation 
the auditor is less able to infer the quality of processing from simply examining the system’s 
input and output. 

The primary advantage of auditing around the computer is simplicity. Auditors having little 
technical knowledge of computers can be trained easily to perform the audit. 

There are two major disadvantages to the approach. First, the type of computer system where 
it is applicable is very restricted. It should not be used for systems having any complexity in 
terms of size or type of processing. Second, the auditor cannot assess very well the likelihood 
of the system degrading if the environment changes. The auditor should be concerned with 
the ability of the system to cope with a changed environment. Systems can be designed and 
programs can be written in certain ways so that a change in the environment will not cause the 
system to process data incorrectly or for it to degrade quickly. 
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Auditing through the Computer - The auditor can use the computer to test: (a) the logic and 
controls existing within the system and (b) the records produced by the system. Depending 
upon the complexity of the application system being audited, the approach may be fairly 
simple or require extensive technical competence on the part of the auditor. 

There are several circumstances where auditing through the computer must be used: 

(1) The application system processes large volumes of input and produces large volumes of 
output that make extensive direct examination of the validity of input and output difficult. 

(2) Significant parts of the internal control system are embodied in the computer system. For 
example, in an online banking system a computer program may batch transactions for 
individual tellers to provide control totals for reconciliation at the end of the day’s 
processing. 

(3) The logic of the system is complex and there are large portions that facilitate use of the 
system or efficient processing. 

(4) Because of cost-benefit considerations, there are substantial gaps in the visible audit 
trail. 

The primary advantage of this approach is that the auditor has increased power to effectively 
test a computer system. The range and capability of tests that can be performed increases 
and the auditor acquires greater confidence that data processing is correct. By examining the 
system’s processing the auditor also can assess the system’s ability to cope with environment 
change. 

The primary disadvantages of the approach are the high costs sometimes involved and the 
need for extensive technical expertise when systems are complex. However, these 
disadvantages are really spurious if auditing through the computer is the only viable method of 
carrying out the audit. 

4.13 Internal Check 

Internal check has been defined by the Institute of Chartered Accountants of England and 
Wales as the “checks on day-to-day transactions which operate continuously as part of the 
routine system whereby the work of one person is proved independently or is complementary 
to the work of another, the object being the prevention or early detection of errors or fraud”. 
Internal check is a part of the overall internal control system and operates as a built-in device 
as far as the staff organisation and job allocation aspects of the control system are concerned. 
A system of internal check in accounting implies organisation of system of book keeping and 
arrangement of staff duties in such a manner that no one person can completely carry through 
a transaction and record every aspect thereof. The essential elements of a goods system of 
internal check are: 
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(i) Existence of checks on the day-to-day transaction. 

(ii) Which operate continuously as a part of the routine system. 

(iii) Whereby the work of each person is either proved independently or is made 
complementary to the work of another. 

Its objective is to prevent and to bring about a speedy detection of frauds, wastes and errors. 

The system is based on the principle that when the performance of each individual in an 

organisation, normally and automatically, is checked by another, the chances of occurrence of 
errors, or their remaining undetected, are greatly reduced; also that, when two or more 
persons essentially must combine either to receive or to make a payment, there will be lesser 
possibility of a fraud being perpetrated by them. 

For instance, let us consider the simple case of a trading concern. It would have a cashier to 
receive cash who also shall issue receipts. There would be separate persons to write the cash 
book and ledgers, the stores accounts would be maintained by the store-keeper, and so on; 

there would be thus a large number of functionaries. In such an organisation, for putting 

through a transaction of sale, first of all a bill would be prepared and the same would be 
checked and authorised by the sales manager; afterwards the cashier would collect the sale 
price and finally the store-keeper would issue the goods, on being satisfied that each of the 
functionaries earlier to him had carried out his part of duties. 

Such a division of responsibilities is made on the broad principle that persons having physical 
custody of assets should not have access to the books of account. Also apart from accounting 
control, the physical and financial records of important assets should be reconciled 
periodically. 

The scope of the statutory or professional audit is limited by the both the cost and the time 
factors. Therefore, it is increasingly being recognised that for an audit to be effective, 
especially when the size of a concern is large, the existence of a system of internal check is 
essential. The auditor can rely on it and, on that consideration, reduce the extent of detailed 
checking to be carried out by him but only after he has checked its effectiveness by the 
application of procedural tests. It must, however, be added that in the event of any mistake or 
fraud being discovered subsequently in the area of accounts which the statutory auditor has 
accepted to be correct, he may be guilty of negligence regardless of the fact that he had 
tested the internal check in operation before he has accepted it to be correct. 

General Considerations in Framing a System of Internal Check: 

(i) No single person should have an independent control over any important aspect of the 
business. All dealings and acts of every employee should, in the ordinary course, come 
under the review of another. 

(ii) The duties of members of the staff should be changed from time to time without any 
previous notice so that the same officer or subordinate does not, without a break, 
perform the same function for a considerable length of time. 
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(iii) Every member of the staff should be encouraged to go on leave at least once in a year. 
Experience has shown that frauds successfully concealed by employees are often 
unearthed when they are on leave. 

(iv) Persons having physical custody of assets must not be permitted to have access to the 
books of account. 

(v) There should exist an accounting control in respect of each important class of assets; in 
addition, these should be periodically inspected so as to establish their physical 
condition. 

(vi) To prevent loss or misappropriation of cash, mechanical devices, such as the automatic 
cash register, should be employed. 

(vii) A majority of business concerns now-a-days work according to some kind of budgetary 
control. It enables them to review from time to time the progress of their trading activities. 
Such business houses should have a separate staff for the collection of statistical figures 
which later on should be checked with the corresponding figures from the financial books. 
If wide discrepancies are observed, these should be reconciled. 

(viii) For inventory-taking, at the close of the year, trading activities should, if possible, be 
suspended. The task of inventory-taking, and evaluation should be done by staff 
belonging to several sections of the organisation. It may prove dangerous to depend 
exclusively on the inventory section staff for these tasks, since they may be tempted to 
under or over-state the inventory. 

(ix) The financial and administrative powers should be distributed very judiciously among 
different officers and the manner in which these are actually exercised should be 
reviewed periodically. 

(x) Procedures should be laid down for periodical verification and testing of different sections 
of accounting records to ensure that they are accurate. 

(xi) Accounting procedures should be reviewed periodically, for, even well-designed and 
carefully installed procedures, in course of time, cease to be effective. 

Tutorial Note: Since verification of the internal check is an important function of an audit, it is 
recommended that students should study the nature and details of the audit forms of internal 
check and their application on examining their operation in various business organisations the 
accounts of which they have an opportunity to audit. Examiners often require students to 
define internal check and also to suggest the internal checks which would be applicable for 
one or more operations of a business or to explain the consequences which would result if the 
internal checks in respect of one or more operations did not exist. Before attempting such a 
question, it is advisable that the student should visualize the various processes through which 
each transaction would pass before it is recorded, comprehend the exact nature of documents 
on the basis of which the transaction would be recorded and the sequences in which the 
entries would be made in the books of account. Once this is done, it would be possible for him 
to suggest the appropriate internal checks that should be introduced or the consequences if 
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they are not introduced provided the student has knowledge of the fundamentals of the 
subject, the channels through which the money and goods normally flow and the various 
stages at which a record of their movements is kept. 

4.14 Internal Audit 

It is also worthwhile to know the modern concept of internal auditing. The Institute of Internal 
Auditors, USA defined internal auditing “as an independent appraisal function, established 
within an organisation to examine and evaluate its activities as a service to the organisation. 
The objective of internal auditing is to assist members of the organisation in the effective dis- 
charge of their responsibilities. To this end, internal auditing furnishes them with analyses, 
appraisals, recommendations, counsel and information concerning the activities reviewed”. 
According to proponents of modern internal auditing, it embraces not only the operational 
audit of various operating activities in the organisation but also includes the audit of 
management itself. Recently, the Institute of Internal Auditors revised the definition of Internal 
Auditing as under: 

"Internal auditing is an independent, objective assurance and consulting activity designed to 
add value and improve an organisation's operations. It helps an organisation accomplish its 
objectives by bringing a systematic, disciplined approach to evaluate and improve the 
effectiveness of risk management, control and governance process." 

The main thrust of the revised definition is to remphasise the increasing scope of internal audit 
with a view to achieving maximum organisational effectiveness. It is felt that if such an activity 
is an integral part of the organisation, it shall go a long way to maximise the organisational 
goals. As students, if you trace the emergence of internal auditing over a period of time since 
early forties in the twentieth century, the scope of internal auditing increased considerably 
from financial to non financial activities. With the passage of time, the internal audit came to 
be recognised as a valuable resource to achieve overall growth objectives of the organisation. 

“Internal Audit is an independent management function, which involves a continuous and 
critical appraisal of the functioning of an entity with a view to suggest improvements thereto 
and add value to and strengthen the overall governance mechanism of the entity, including the 
entity’s risk management and internal control system.” 

The objects of internal audit can be stated as follows: 

(i) To verify the accuracy and authenticity of the financial accounting and statistical records 
presented to the management. 

(ii) To ascertain that the standard accounting practices, as have been decided to be followed 
by the organisation, are being adhered to. 

(iii) To establish that there is a proper authority for every acquisition, retirement and disposal 
of assets. 

(iv) To confirm that liabilities have been incurred only for the legitimate activities of the 
organisation. 
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(v) To analyse and improve the system of internal check; in particular to see that it is (a) 
working; (b) sound; and (c) economical. 

(vi) To facilitate the prevention and detection of frauds. 

(vii) To examine the protection afforded to assets and the uses to which they are put. 

(viii) To make special investigations for management. 

(ix) To provide a channel whereby new ideas can be brought to the attention of management. 

(x) To review the operation of the overall internal control system and to bring material 
departures and non-compliances to the notice of the appropriate level of management ; 
the review also generally aims at locating unnecessary and weak controls for making the 
entire control system effective and economical. 

As per SA-610, “Using the Work of an Internal Auditor”, the objectives of internal audit 
functions vary widely and depend on the size and structure of the entity and the requirements 
of management and, where applicable, those charged with governance. The activities of the 
internal audit function may include one or more of the following: 

• Monitoring of internal control. The internal audit function may be assigned specific 
responsibility for reviewing controls, monitoring their operation and recommending 
improvements thereto. 

• Examination of financial and operating information. The internal audit function may 
be assigned to review the means used to identify, measure, classify and report financial 
and operating information, and to make specific inquiry into individual items, including 
detailed testing of transactions, balances and procedures. 

• Review of operating activities. The internal audit function may be assigned to review 
the economy, efficiency and effectiveness of operating activities, including non- financial 
activities of an entity. 

• Review of compliance with laws and regulations. The internal audit function may be 
assigned to review compliance with laws, regulations and other external requirements, 
and with management policies and directives and other internal requirements. 

• Risk management. The internal audit function may assist the organization by identifying 
and evaluating significant exposures to risk and contributing to the improvement of risk 
management and control systems. 

• Governance. The internal audit function may assess the governance process in its 
accomplishment of objectives on ethics and values, performance management and 
accountability, communicating risk and control information to appropriate areas of the 
organization and effectiveness of communication among those charged with governance, 
external and internal auditors, and management. 
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Applicability of Provisions of Internal Audit: As per section 138 of the Companies Act, 
2013 the following class of companies (prescribed in rule 13 of Companies (Accounts) Rules, 
2014) shall be required to appoint an internal auditor or a firm of internal auditors, namely- 

(a) every listed company; 

(b) every unlisted public company having- 

(i) paid up share capital of fifty crore rupees or more during the preceding financial 
year; or 

(ii) turnover of two hundred crore rupees or more during the preceding financial year; or 

(iii) outstanding loans or borrowings from banks or public financial institutions 

exceeding one hundred crore rupees or more at any point of time during the 
preceding financial year; or 

(iv) outstanding deposits of twenty five crore rupees or more at any point of time during 
the preceding financial year; and 

(c) every private company having- 

(i) turnover of two hundred crore rupees or more during the preceding financial year; or 

(ii) outstanding loans or borrowings from banks or public financial institutions 

exceeding one hundred crore rupees or more at any point of time during the 
preceding financial year: 

It is provided that an existing company covered under any of the above criteria shall comply 
with the requirements within six months of commencement of such section. 

Who can be appointed as Internal Auditor? As per section 138, the internal auditor shall 
either be a chartered accountant whether engaged in practice or not or a cost accountant, or 

such other professional as may be decided by the Board to conduct internal audit of the 

functions and activities of the companies. The auditor may or may not be an employee of the 
company. 

To be effective, the internal auditor must be regarded as part of the management and not 
merely as an assistant thereto. He must have authority to investigate from the financial angles, 
every phase of the organisational activity under any circumstances. In recent years, there has 
been a growing tendency in Western countries to make the internal auditor responsible directly 
to the Board of Directors for the maintenance of adequate accounting procedures and for the 
preparation of financial statements and reports as regards the functioning of the business. His 
main responsibility, however, must be to maintain adequate system of internal control by a 
continuous examination of accounting procedures, receipts and disbursements and to provide 
adequate safeguards against misappropriation of assets. In carrying out these functions, he 
must operate independently of the accounting staff and must not in any way divest himself of 
any of the responsibilities placed upon him. He should also not involve himself in the 
performance of executive functions in order that his objective outlook does not get obscured 
by the creation of vested interest. 
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It may be further pointed out that internal auditors who are qualified accountants, because of 
their training and experience, can be of great assistance to the management even in fields 
other than accounting. They can observe facts and situations and bring them to notice of 
authorities who would otherwise never know them; also, they critically appraise various 
policies of the management and draw its attention to any deficiencies, wherever these require 
to be corrected. In order that an internal auditor may be able to play such a role in the field of 
management, he must be closely associated with it and his knowledge must be kept up to date 
by his being kept informed about all important occurrences and events affecting the business, 
as well as the changes that are made in business policies. Also, he must enjoy an 
independent status. 

In addition, the Audit Committee of the company or the Board shall, in consultation with the 
Internal Auditor, formulate the scope, functioning, periodicity and methodology for conducting 
the internal audit. 

It may also be noted that the Central Government may, by rules, prescribe the manner and the 
intervals in which the internal audit shall be conducted and reported to the Board. 

Internal Audit vs. Internal Check: Internal audit is a review of the operations and records, 
sometimes continuously undertaken, within a business, by specially assigned staff. But 
internal audit must not be confused with internal check. Internal check consists of a set of 
rules or procedures that are part of the accounting system, introduced so as to ensure that 
accounts of a business shall be correctly maintained and the possibility of occurrence of 
frauds and errors eliminated. On the other hand, internal audit is a thorough examination of 
the accounting transactions as well as that of the system according to which these have been 
recorded, with a view to reassuring the management that the accounts are being properly 
maintained and the system contains adequate safeguards to check any leakage of revenue or 
misappropriation of property or assets and the operations have been carried out in conformity 
with the plans of the management. However, the routine processes by which an internal audit 
is carried out are broadly the same as those followed for professional audit. But internal audit 
often differs in its scope and emphasis: it is more managerial than accounting; also its form is 
varied, depending on the size of the organisation. For instance, whereas a professional 
auditor is primarily concerned with the legality or validity of transactions entered into by a 
business, an internal auditor in addition is expected to ensure that the standards of economy 
and efficiency are being maintained. On that account, the internal auditor must ascertain that 
orders for the purchase of inventory are placed only after inviting tenders, sales are affected at 
the highest ruling rates, standard procedures as regards requirement of staff are followed, and 
losses in manufacturing process suffered during the period under review are not higher than 
those in the earlier periods and so on. He must further confirm that there has been no leakage 
of inventories or revenue, overpayment of expenditure or pilferage or misappropriation of 
inventories or of any other asset, reconciling the physical accounting records and physical 
balance. The nature and extent of checking that the auditor should carry out also would 
depend on the size and type of the business organisation. 
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4.15 Relationship between the Statutory and the Internal Auditors 

The function of an internal auditor being an integral part of the system of internal control. It is 
statutory requirement too as per section 138 of the Companies Act, 2013 where the Audit 
Committee of the company or the Board shall, in consultation with the Internal Auditor, 
formulate the scope, functioning, periodicity and methodology for conducting the internal audit. 
However, it is obligatory for a statutory auditor to examine the scope and effectiveness of the 
work carried out by the internal auditor. For the purpose, he should examine the Internal Audit 
Department of the organisation, the strength of the internal audit staff, their qualification and 
their powers. Afterwards the procedures should be studied; also the scope of the audit 
examination carried out should be ascertained on referring to audit programmes, reports 
submitted, points raised in audit and how these had been dealt with subsequently. The extent 
of independence exhibited by the internal auditor in the discharge of his duties and his status 
in the organisation are important factors for determining the effectiveness of his audit. In a 
large business, it has been increasingly recognised that, if their functions and those of 
statutory auditors could be integrated, it might not be necessary for the statutory auditors to go 
over the same facts and figure as have been previously examined by a competent and 
trustworthy internal audit staff. But so far, the practice of audit being conducted jointly by the 
internal auditors is of great assistance to statutory auditors. 

If the statutory auditor is satisfied on an examination of the work of the internal auditor, that 
the internal audit has been efficient and effective, he often decides to curtail his audit 
programme by dispensing with some of the detailed checking already carried out by the 
Internal Audit Department after or without testing the work already done. He, at times, also 
decides to entrust certain items of work to the internal auditor. Given below are items of audit 
work in regard to which the statutory auditor accepts the checking that has already been 
carried out by the internal auditor; 

(i) Verification of the system of internal control; 

(ii) Verification of assets, e.g., inventory in trade, fixed assets, book debts, etc.; and 

(iii) Verification of amounts provided for expenses as well as amounts adjusted as prepaid 
expenses. 

It must however be mentioned that the area of co-operation between the statutory and the 
internal auditor is limited by the fact that the statutory auditor and the internal auditor owe their 
allegiance to separate authorities, the shareholders in one case and the management in the 
other. Therefore, the former is not protected against the liability for negligence which may 
arise in such a case. 

4.15.1 General Evaluation of Internal Audit Function: The external auditor’s general 
evaluation of the internal audit function will assist him in determining the extent to which he 
can place reliance upon the work of the internal auditor. The external auditor should document 
his evaluation and conclusions in this respect. 
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As per SA-61 0, “Using the Work of an Internal Auditor’’, in determining whether the work of the 

internal auditors is likely to be adequate for purposes of the audit, the external auditor shall 

evaluate: 

(a) The objectivity of the internal audit function; 

(b) The technical competence of the internal auditors; 

(c) Whether the work of the internal auditors is likely to be carried out with due professional 
care; and 

(d) Whether there is likely to be effective communication between the internal auditors and 
the external auditor. 

Factors that may affect the external auditor’s determination of whether the work of the internal 

auditors is likely to be adequate for the purposes of the audit include: 

Objectivity 

• The status of the internal audit function within the entity and the effect such status has 
on the ability of the internal auditors to be objective. 

• Whether the internal audit function reports to those charged with governance or an 
officer with appropriate authority, and whether the internal auditors have direct access to 
those charged with governance. 

• Whether the internal auditors are free of any conflicting responsibilities. 

• Whether those charged with governance oversee employment decisions related to the 
internal audit function. 

• Whether there are any constraints or restrictions placed on the internal audit function by 
management or those charged with governance. 

• Whether, and to what extent, management acts on the recommendations of the internal 
audit function, and how such action is evidenced. 

Technical competence 

• Whether the internal auditors are members of relevant professional bodies. 

• Whether the internal auditors have adequate technical training and proficiency as internal 
auditors. 

• Compliance with the mandatory/ recommendatory Standards on Internal Audit (SIAs) 
issued by Internal Audit Standards Board of the Institute of Chartered Accountants of 
India (ICAI). 

• Whether there are established policies for hiring and training internal auditors. 

Due professional care 

• Whether activities of the internal audit function are properly planned, supervised, 
reviewed and documented. 
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• The existence and adequacy of audit manuals or other similar documents, work 
programs and internal audit documentation. 

Communication 

Communication between the external auditor and the internal auditors may be most effective 
when the internal auditors are free to communicate openly with the external auditors, and: 

• Meetings are held at appropriate intervals throughout the period; 

• The external auditor is advised of and has access to relevant internal audit reports and 
is informed of any significant matters that come to the attention of the internal auditors 
when such matters may affect the work of the external auditor; and 

• The external auditor informs the internal auditors of any significant matters that may 
affect the internal audit function. 

4.15.2 Coordination: Having decided in principle that the external auditor intends to rely 
upon the work of the internal auditor, it is desirable that the external auditor ascertains the 
internal auditor’s tentative plan for the year and discusses it with him at as early a stage as 
possible to determine areas where he considers that he could rely upon the internal auditor’s 
work. Where internal audit work is to be a factor in determining the nature, timing and extent of 
the external auditor’s procedures, it is desirable to plan in advance the timing of such work, 
the extent of audit coverage, test levels and proposed methods of sample selection, 
documentation of the work performed, and review and reporting procedures. 

Coordination with the internal auditor is usually more effective when meetings are held at 
appropriate intervals during the year. It is desirable that the external auditor is advised of, and 
has access to, relevant internal audit reports and in addition is kept informed, along with 
management, of any significant matter that comes to the internal auditor’s attention and which 
he believes may affect the work of the external auditor. Similarly, the external auditor should 
ordinarily inform the internal auditor of any significant matters which may affect his work. 

The external auditor shall determine: 

(a) Whether the work of the internal auditors is likely to be adequate for purposes of the 
audit; and 

(b) If so, the planned effect of the work of the internal auditors on the nature, timing or 
extent of the external auditor’s procedures. 

In determining whether the work of the internal auditors is likely to be adequate for purposes 
of the audit, the external auditor shall evaluate: 

(a) The objectivity of the internal audit function; 

(b) The technical competence of the internal auditors; 

(c) Whether the work of the internal auditors is likely to be carried out with due professional 
care; and 
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(d) Whether there is likely to be effective communication between the internal auditors and 
the external auditor. 

In determining the planned effect of the work of the internal auditors on the nature, timing or 
extent of the external auditor’s procedures, the external auditor shall consider: 

(a) The nature and scope of specific work performed, or to be performed, by the internal 
auditors; 

(b) The assessed risks of material misstatement at the assertion level for particular classes 
of transactions, account balances, and disclosures; and 

(c) The degree of subjectivity involved in the evaluation of the audit evidence gathered by 
the internal auditors in support of the relevant assertions. 

Further, it may be useful to agree in advance the following matters with the internal auditors: 

• The timing of such work; 

• The extent of audit coverage; 

• Materiality for the financial statements as a whole (and, if applicable, materiality level or 
levels for particular classes of transactions, account balances or disclosures), and 
performance materiality; 

• Proposed methods of item selection; 

• Documentation of the work performed; and 

• Review and reporting procedures. 

Using Specific Work of the Internal Auditors: In order for the external auditor to use specific 
work of the internal auditors, the external auditor shall evaluate and perform audit procedures 
on that work to determine its adequacy for the external auditor’s purposes. The nature, timing 
and extent of the audit procedures performed on specific work of the internal auditors will 
depend on the external auditor’s assessment of the risk of material misstatement, the 
evaluation of the internal audit function, and the evaluation of the specific work of the internal 
auditors. Such audit procedures may include: 

• Examination of items already examined by the internal auditors; 

• Examination of other similar items; and 

• Observation of procedures performed by the internal auditors. 

To determine the adequacy of specific work performed by the internal auditors for the external 
auditor’s purposes, the external auditor shall evaluate whether: 

(a) The work was performed by internal auditors having adequate technical training and 
proficiency; 

(b) The work was properly supervised, reviewed and documented; 

(c) Adequate audit evidence has been obtained to enable the internal auditors to draw 
reasonable conclusions; 
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(d) Conclusions reached are appropriate in the circumstances and any reports prepared by 
the internal auditors are consistent with the results of the work performed; and 

(e) Any exceptions or unusual matters disclosed by the internal auditors are properly 
resolved. 

Documentation: When the external auditor uses specific work of the internal auditors, the 
external auditor shall document conclusions regarding the evaluation of the adequacy of the 
work of the internal auditors, and the audit procedures performed by the external auditor on 
that work. 

Inventory Appendices 

Internal Control Questionnaires 

Extract from Internal Control Questionnaire published by the Institute of Chartered Accountants of India 
(Note: Columns Yes, No, N.A. and Explanatory Notes have been omitted here) 

I - Purchases and Trade payables 

1. Are purchases centralised in the Purchase Department? 

2. (a) Are purchases made only from approved suppliers? 

(b) Is a list of approved suppliers maintained for this purpose? 

(c) Does the master list contain more than one source of supply for all important materials? 

3. Are the purchase orders based on valid purchase requisitions duly signed by persons authorised 
in this behalf? 

4. (a) Are purchases made on behalf of employees? 

(b) If so, is the same procedures followed for other purchases? 

5. Is special approval required for: 

(a) Purchase from employees, directors and companies in which directors are interested? 

(b) Purchases of capital goods? 

6. Are purchases based on competitive quotations from two or more suppliers? 

7. Is comparative quotation analysis sheet drawn before purchases are authorised? 

8. If the lowest quotation is not accepted, is the purchase approved by senior official? 

9. If the price variation clauses is included, is it approved by a senior official? 

10. Are purchase orders pre-numbered and strict control exercised over unused forms? 

11. Are purchase orders signed only by employees authorised in this behalf? 

12. Do purchase orders contain the following minimum information: 


(a) 

Name of supplier? 

(b) 

Delivery terms? 

(c) 

Quantity? 

(d) 

Price? 

(e) 

Freight terms? 

(f) 

Payment terms? 


13. Is revision of terms of purchase orders duly authorised? 
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14. (a) Are copies of purchase orders and revisions forwarded to Accountants and Receiving 

Departments? 

(b) If 'Yes’, do the copies show the quantities ordered? 

(c) If ‘no’, is there an adequate procedure for the Receiving Dept., to be notified to accept 
deliveries? 

15. Is a list of pending purchase orders compiled by the Purchase Dept., at least once every quarter? 

16. Are all materials, suppliers, etc., received only in the Receiving Department? 

17. If they are received directly by User Department/Processors/Customers, is there a procedure of 
obtaining acknowledgments for the quantity received and the condition of the goods? 

18. Are persons connected with receipt of materials and the keeping of receiving records denied 
authority to issue purchase orders or to approve invoices? 

19. Are materials, suppliers, etc., inspected and counted, weighed or measured in the Receiving 
Department? 

20. Are quantities and description checked against purchase order (or other form of notifications) and 
goods inspected for condition? 

21. (a) Does the Receiving Dept, deliver or supervise the delivery of each item received to the 

proper Stores or Department Location? 

(b) Are acknowledgments obtained from suppliers for goods/containers returned to them? 

22. Are all receipts of materials evidenced by pre-numbered Goods Received Note? 

23. Are copies of Goods Received Notes forwarded to Accounts Department and list of goods 
received to purchase department? 

24. Are all cases of materials returned, shortages and rejections advised to the Accounts 
Department, for raising Debit Memoes on suppliers or claim bills on carriers/insurance compa- 
nies, as the case may be? 

25. Are all debit notes etc. 

(a) pre-numbered? 

(b) numerically controlled? 

(c) properly recorded (in the financial accounts or in memorandum registers as the case may 
be)? 

26. (a) Are all suppliers’ invoices routed direct to the Accounts Department? 

(b) Are they entered in a Bill Register before submitting them to other department for check 
and/or approval? 

(c) Are advance and partial payments entered on the invoices before they are submitted to 
other departments? 

27. Does the system ensure that all invoices and credit notes are duly processed? 

28. In respect of raw materials and supplies, are reconciliations made of quantities and/or values 
received, as shown by purchase invoices with receipts into inventory records? 

29. Are duplicate invoices marked immediately on receipt to avoid payment against them? 
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30. If payment are made against duplicate invoice even occasionally, are adequate precautions taken 
to avoid duplicate payments? 

31. Does the Accounts Department match the invoices of supplies with Goods Received Notes or 
acknowledgments received as per Q 17 and purchase orders? 

32. (a) Are Goods Received Notes and Receiving records regularly received for items for which no 

invoices have been received? 

(b) Are all such items investigated and is provision made for the liability in respect of such 
items? 

(c) In such review/investigation done by persons independent of those responsible for the 
receipt and control of goods? 

33. Do all invoices bear evidence of being checked for prices, freight terms, extensions and 
additions? 

34. Is the relative purchase order attached to the invoice for payment? 

35. Where the client both buys from and sells to a person regularly, is a periodic review made of all 
amounts due from that person to determine whether any set-off is necessary? 

36. (a) Is a special request used for making payments in advance or against documents through 

bank? 

(b) Thereafter, are the invoices made in the normal course? 

37. (a) Are all advance payments duly authorised by persons competent to authorise such 

payments? 

(b) Is a list of pending advances made at least every quarter and is a proper follow-up 
maintained? 

38. Are all adjustments to trade payables accounts duly approved by those authorised in this behalf? 

39. Is a list of employees by designation with limits of authority in respect of several matters referred 
to in this section maintained? 

40. Are all supplier’s statements compared with ledger account? 

41. Is there any follow-up action to investigate difference, if any between the suppliers’ statements 
and the ledger accounts? 

42. Is a list of unpaid trade payables prepared and reconciled periodically with the General Ledger 
Control Account? 

43. Is there a system of ensuring that cash discounts are availed of whenever offered? 

II - Sales and Trade receivables 

1. Are standard price lists maintained? 

2. Are prices which are not based on standard price lists, required to be approved by a senior 
executive outside the State Department? 

3. Are written orders from customers received in all cases? 

4. If oral/telephonic orders are received, are they recorded immediately in the client’s standard 
forms? 

5. Is there a numerical control of all customer’s orders? 
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6. Are credit limits fixed in respect of individual customers? 

7. Are these limits approved by an official independent of the Sales Department? 

8. Are credit limits reviewed periodically? 

9. Are customers’ credit limits checked before orders are accepted? 

10. Is this done by a person independent of the Sales Department? 

11. If sales to employees are made at concessional prices: 

(a) Is there a limit to the value of such sales? 

(b) Is there an adequate procedure to see that these limits are not exceeded? 

(c) Are the amounts recovered in accordance with the terms of sale? 

12. Are despatches of goods authorised only by Despatch Notes/Gate Passes or similar documents? 

13. Do such Despatch Notes/Gate Passes or similar documents bear pre-printed numbers? 

14. Are they under numerical control? 

15. Are they prepared by a person independent of: 

(a) the Sales Department? 

(b) the processing of invoices? 

16. Except when all documents are prepared in one operation, are the Despatch Notes/ Gate Passes 
matched with: 

(a) Excise Duty records? 

(b) Sales invoices? 

(c) Freight payable to carriers (where applicable)? 

17. Are unmatched Despatch Notes/Gate Passes reviewed periodically? 

18. Are the goods actually despatched checked independently with the Despatch Notes/Gate Passes 
and Customer’s Orders? 

19. Are acknowledgments obtained form the customers for the goods delivered? 

20. Are the customers’ orders marked for goods delivered? 

21. Are shortages in goods delivered to the Customers investigated? 

22. Are credits to customers for shortages, breakages and losses in transit matched with claims 
lodged against carriers/insurers? 

23. Are sales invoices pre-numbered? 

24. Are all invoice numbers accounted for? 

25. Are invoices checked for: 

(a) prices? 

(b) calculations (including excise duty and sales tax)? 

(c) terms of payment? 

26. Are ‘no charge’ invoices authorised by a person independent of the custody of goods or cash? 
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27. Are invoices mailed direct to the customers promptly? 

28. Are credits to customers for remittances posted only from the entries in the cash book (or 
equivalent record)? 

29. Does cashier notify immediately: 

(a) Sales Department, 

(b) Trade receivables’ Ledger Section and 

(c) Credit Controller; 

(i) of all dishonoured cheques or other negotiable instruments? 

(ii) of all documents sent though band but not retired by the customers? 

30. Is immediate follow up action taken on such notification? 

31 . Are bills of exchange (or other negotiable instruments) accepted by customers recorded? 

32. Are the bills of exchange, etc. as per such record periodically verified with the bills on hand? 

33. (a) Is a record of customers’ claims maintained? 

(b) Are such claims properly dealt with in the accounts? 

34. Does the Receiving Department count, weigh or measure the goods returned by customers? 

35. Does the Receiving Department record them on a Sales Returns Note? 

36. Are copies of Sales Returns Notes sent to: 

(a) Customer?(b) Sales Department? (c) Trade receivables Ledger Section? 

37. Are the returned goods taken into inventory immediately? 

38. Is a Credit Note issued to the customer for the goods returned? 

39. Are all Credit Notes pre-numbered? 

40. Are Credit Notes numerically controlled? 

41 . Are Credit Notes authorised by a person independent of: 

(a) Custody of goods? (b) Cash receipts? (c) Trade receivables’ Ledger? 

42. Are Credit Notes: 

(a) compared with Sales Returns Notes or other substantiating evidence? 

(b) checked for prices? 

(c) checked for calculations? 

43. Are corresponding recoveries of sales commissions made when Credit Notes are issued to 
customers? 

44. Are units of sales (as per sales invoices) correlated and reconciled with the purchases (or 
production) and inventories on hand? 

45. Is the Sales Ledger balanced periodically and tallied with the General Control Account? 

46. Are ageing schedules prepared periodically? 

47. Are they reviewed by a responsible person? 
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48. Are statements of accounts regularly sent to all customers? 

49. Are the statements checked with the Trade receivables’ Ledger before they are issued? 

50. Are the statements mailed by a person independent of the ledger keeper? 

51 . Are confirmations of balances obtain periodically? 

52. Are the confirmations verified by a person independent of the ledger-keeper and the person 
preparing the statement? 

53. Is special approval required for: 

(a) payments of customers’ credit balances? 

(b) writing off bad debts? 

54. Is any accounting control kept for bad debts written off? 

55. Is any follow up action taken for recovering amounts written off? 

56. In the case of export sales: 

(a) Is a record maintained of import entitlements due? 

(b) Does the record cover the utilisation disposal of such entitlements? 

(c) Is there a procedure to ensure that claims for incentives etc., receivable are made in time? 

57. Are sales of scrap and wastage subject to the same procedures and controls as sales of finished 
goods? 

Ill - Inventory 

1. Are inventories stored in assigned areas? 

2. If so, is access to these areas limited? 

3. Are inventories insured against the following risks: 

(a) fire? (b) strike, riot and civil commotion? 

(c) flood? (d) hail damage where applicable? 

4. If the answer to any of the above is negative, is it due to specific decision taken by a senior 
official? 

5. Is a record maintained for the insurance polices? 

6. Is the record reviewed periodically? 

7. Is there an official who decides on the value for which the inventories are to be insured? 

8. Is the adequacy of the insurance cover reviewed periodically? 

9. Are perpetual inventories records kept for: 

(a) raw materials? (b) work-in-progress? 

(c) finished goods? (d) stores? 

10. Are they periodically reconciled with accounting records? 

11. Is there a system of perpetual inventory for inventories of: 

(a) raw materials? (b) work-in-progress? 
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(c) finished goods? (d) stores? 

12. Where there is a system of perpetual inventory count: 

(a) Is there a periodical report of shortages/excess? 

(b) If so, are these differences investigated? 

(c) Are these differences adjusted in the inventory records and in the financial accounts? 

(d) Is written approval obtained from a responsible official to adjust these differences? 

13. Are there norms for inventory levels to be held? 

14. Is there a periodic reporting of: 

(a) Slow-moving items? (b) Damaged items? 

(c) Obsolete items? (d) Over-stocked items? 

15. Is there a well-laid out written procedure for inventory count? 

16. (a) Are inventories physically verified once in a year? 

(b) Is this done by a person independent of persons who are responsible for maintaining these 
records or the storekeeper? 

(c) Are written instructions prepared for guidance of employees engaged in physical inventory 
taking to cover: 

(i) Proper identification and arrangement of inventories? 

(ii) Cut-off points of receipts and deliveries? 

(iii) Recording of the condition of the inventories? 

(iv) Compliance with the conditions warranties in the relative insurance policies? 

17. Are the physical inventory records, such as tags, cards, tally sheets, under numerical control? 

18. Are the clerical steps in the preparation of inventory sheets checked independently for: 

(a) Summarisation of quantities? (b) Unit rates? 

(c) Additions? (d) Extensions? 

(e) Unit conversions? (f) Summarisation of cards and/or sheets? 

19. Are the quantities shown in the inventory sheets compared with the quantities declared to banks 
or insurers, where possible? 

20. If there are significant variations between the actual inventories and book inventories : 

(a) Are they investigated? 

(b) Is a recount made where necessary? 

(c) Is the inventory book corrected with proper authority? 

21 . Are the following inventories checked: 

(1) Physically by the company’s staff? 

(2) With certificates from concerned holders of the inventories? 

(a) Inventory in public warehouses? 
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(b) Inventories with consignees? 

(c) Inventories with sub-contractors for fabrication, etc.? 

(d) Inventories with customers, on approval? 

(e) Inventories in bonded warehouses? 

(f) Inventories pledged with third parties? 

22. Is inventory on hand relating to third parties, such as customer’s inventories and consignments 
physically segregated or properly identified? 

23. Are the procedures relating to record keeping and inventory-taking made applicable to third also? 

24. Are confirmations obtained from the third parties for inventories held on their behalf? 

25. Are records maintained for: 

(a) Scrap available for sale? 

(b) By-products? 

(c) Returnable containers? 

26. Is there an adequate recording procedure for: 

(a) Inventories with outsides? 

(b) Inventories of outsiders held by the company? 

27. Is there a system of job/production orders for control of production? 

28. Does the storekeeper issue raw materials, stores etc., only against Requisition Notes signed by 
properly authorised officials? 

29. Does the storekeeper acknowledge in writing the quantity of finished goods received from the 
Factory? 

30. Is the inventory record periodically checked with such acknowledgments? 

31 . Does the cost system provide for obtaining units or job order costs for: 

(a) Work-in-progress? 

(b) Finished goods? 

32. Is the cost system integrated with/or reconciled to General Ledger controls as regards: 

(i) Material? (ii) Labour? 

(iii) Overheads? 

33. Does the cost system provide for detailed units or job order costs in terms of: 

(i) Raw material costs? (ii) Direct labour? 

(iii) Overheads? (iv) Physical quantities? 

(v) Unit rates? 

34. Are similar records kept for service departments also? 

35. Are overhead rates: 

(a) Reviewed periodically by designated employees? 
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(b) Adjusted in the light of current experience? 

36. Are separate control accounts maintained for inventory of: 

(a) Work-in-progress? (b) Finished goods? 

37. In a job order industry, are the estimates of costs compared with actual costs? 

38. If standard cost system exists: 

(i) Are variances investigated? 

(ii) Are standards reviewed periodically? 

IV. Cash and Bank Receipts 

1 . Is inward mail opened by persons not connected with handling cash or the Accounts Department? 

2. Is the inward mail date stamped? 

3. Is there a detailed record of receipts prepared? 

4. Are all cheques specially crossed by employees opening mail? 

5. Are bank deposits prepared and made by some one other than those responsible for cash 
receipts and/or personal ledger? 

6. Are duplicate (or counterfoils of) receipted deposit slips received from the bank? 

7. Is there any comparison of items listed on the duplicate (or counterfoils of) deposit slips with the 
amounts of cheques recorded in the cash receipts records? 

8. Are receipts given for over-the-counter collections” 

9. Is the reconciliation of such proofs of collection with amounts banked? 

10. Are collections of branch offices and sales offices deposited in special bank accounts, subject to 
withdrawal only by the Head Office? 

11. If collections are made by representatives of the company in cash, have serially numbered 
receipts been issued to them? 

12. Is there a system of issuing permanent receipts in lieu of the Temporary/Provisional receipts 
issued by bill collectors, etc.? 

13. Are such collections promptly received and banked? 

14. Are the receipt forms: 

(a) serially numbered? 

(b) kept in safe custody? 

(c) controlled by register? 

(d) unused inventories checked regularly? 

(e) made out by one employee and despatched by another? 

(f) accounted for, including those cancelled? 

(f) in respect of partially used receipt books not intended to be used, cancelled? 

15. Are cancelled receipts preserved? 

16. If post-dated cheques are received, are they held in safe custody until deposited? 
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17. Are such cheques entered in a separate register? 

18. Is the opening of bank accounts authorised by the Board of Directors? 

19. Are sundry items, such as dividends, interest, rent, commissions, etc. regularly checked by 
responsible official to satisfy himself that correct amounts are received? 

20. Is there a procedure to ensure that Hundi borrowings are only by cheques crossed “Accounts 
Payee”? 

21 . Is the cash balance verified frequently? 

22. Incoming money orders, VPP receipts etc.: 

(a) Are they signed by any official other than the cashier? 

(b) Are they listed immediately? 

(c) Are such lists compared with the Cash Book regularly? 

(d) Is there an arrangement with the Postal authorities to receive cheques instead of cash? 

23. Are the cashier’s duties taken over for a few days, by some one else, occasionally? 

24. If a rough cash book is maintained: 

(a) Is the fair cash book written up promptly? 

(b) Is the fair cash book checked with the rough cash book, by a person other than the cashier? 

V. Cash and Bank Payments 

1 . Does the company's policy prohibit disbursements directly from cash receipts? 

2. Are all disbursements made by cheques? 

3. Are the names of officials and the limits upto which they are authorised to sign cheques, 
specified? 

4. Are all cheques payable ‘to order” and crossed ‘Account Payee Only” except cheques for wages 
and petty cash? 

5. Are cheque protectors used? 

6. Are unused cheques under proper physical control? 

7. Are cancelled cheques mutilated? 

8. Is the practice of signing cheques in blank, prohibited? 

9. Are payments made only against original invoices (or equivalent documents? 

10. Are cheques accompanied by vouchers when presented for signature? 

11. Do vouchers contain evidence of examination by persons signing cheques and/or those 
authorising vouchers for payment? 

12. Is the accounting distribution on the voucher checked at the time of payment? 

13. Are all supporting documents properly defaced and identified by cheque number at the time of 
signature? 

14. Is there a method to check if cheques are despatched immediately? 
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15. Are remittances by bank transfers or letters of instructions (e.g., TTs, MTs, standing instructions) 
subject to the same controls as cheque payments? 

16. Is there an effective system in force for following up receipts from payees and filling complete 
vouchers? 

17. When “stop-payment” instructions are issued, are the original entries reversed immediately? 

18. Is there a schedule of dates in each month for the recurring payments such as P.F., Tax deducted 
at source. Telephone bills, Electricity bills, etc.? 

19. In respect of bills accepted? 

(a) is there a record of such bills? 

(b) are they signed by official authorised to do so? 

20. Are bank loans or overdrafts (including temporary overdrafts) arranged only by officials 
authorised by the Board? 

VI. Fixed Assets 

Purchases and Disposal 

1 . Are budgets for capital expenditure approved by the Board? 

2. Are approved budgets communicated in writing to: 

(a) Purchase Department? 

(b) Accounts Department? 

(c) Department originating the request? 

3. Are written authorisations required for incurring capital expenditure for items included in the 
Budget? 

4. Is the authority to incur capital expenditure restricted to specified officials? 

5. Are purchases of capital items subject to same controls as are applicable to purchases of raw 

materials, stores, etc.? 

6. Are receipts of capital items subject to same procedures as applicable to raw materials, stores, 
etc.? 

7. Is there proper check to see that amounts expended do not exceed the amount authorised? 

8. Are supplemental authorities required for excess expenditures? 

9. Is there any established procedure for moving plant and machinery from one location to another? 

10. (i) Is written authority required for: 

(a) scrapping fixed assets? 

(b) selling fixed assets? 

(ii) Is the authority to permit scrapping/selling of fixed assets restricted to specified officials? 

(iii) Are limits specified in this regard? 

(iv) Are sales of fixed assets subject to same procedures as are applicable to sales of finished 
goods? 
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11. Are reports issued promptly in respect of: 

(a) units sold? 

(b) units scrapped? 

(c) units moved from one location to another? 

Records: 

12. Are fixed assets under construction: 

(a) subject to separate control account in General Ledger? 

(b) controlled by job number? 

13. Is expenditure on wages, materials and stores charged to capital account on reasonable basis? 

14. Is there any official responsible for ensuring that allocation of expenditure between capital and 
revenue is in accordance with the company’s accounting policy? 

15. Isa register of all fixed assets (including fully depreciated assets) maintained? 

16. Is the register regularly written up throughout the year? 

17. Is the register periodically tallied with the financial accounts? 

18. Is the following information available, in the register? 

(a) Supplier’s name 

(b) Date of purchase 

(c) Cost (including additions, improvements, exchange rate adjustments etc.) 

(d) Location and identification number 

(e) Rate of depreciation and estimated life 

(f) Accumulated depreciation 

(g) Estimated salvage value 

19. Isa record maintained of equipment used by the company, but owned by others? 

20. Is the register of patents or trade marks maintained up-to-date? 

21 . Is there a list of title deeds for the landed properties and buildings? 

22. Are title deeds of properties kept in safe place? 

23. If they are lodged as security, are certificates obtained to that effect periodically? 

24. Are registration books of vehicles periodically verified? 

Verification: 

25. Are fixed assets verified periodically? 

26. Is there a written procedure for such verification? 

27. Does the procedure provide for verification/confirmation of fixed assets with third parties? 

28. Does the procedure provide for verification of compliance with the warranties and conditions in 
the relevant insurance policies? 

29. Are reports prepared on such verification? 
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30. Do such reports indicate damaged/obsolete items of fixed assets? 

31. (a) Are discrepancies disclosed by such reports investigated? 

(b) Are the records and financial accounts corrected, with proper authority? 

32. Are damaged/obsolete items disclosed by such reports, removed from the records and financial 
accounts with proper authority? 

Moulds, Patterns, Jigs, Fixtures, Tools etc. 

33. Is there satisfactory control over the acquisition and write-off of such items? 

34. Are there physical safeguards against theft or loss of tools and other movable equipment? 

35. Are records maintained for: 

(a) items treated as inventory? 

(b) items treated as fixed assets? 

Insurance: 

36. (i) Are the following risks covered in respect of buildings and machinery: 

(a) Fire 

(b) Strike, riot and civil commotion 

(c) Flood 

(d) Earthquake 

(e) Nuclear risks 

(f) Malicious damage 

(g) War risks 

(ii) If the answer to any of the above is negative, is it due to a specific decision taken by a 
senior official? 

37. Is there an adequate procedure to ensure that assets acquired between two renewal dates are 
also covered by insurance? 

38. Is there an official who decides on the value for which policies are taken? 

39. Are the fixed assets insured at re-instatement basis? 

40. Does the official, who decides on the value for which policies are taken, review periodically the 
adequacy of the insurance cover? 

41. (i) Is there loss-of-profits insurance cover? 

(ii) Is there machinery-breakdown insurance cover? 

(iii) If the answer to (i) or (ii) is negative is it due to a specific decision taken by a senior official? 

VII. Bank Balances 

1. Are bank statements opened by a person other than the person signing cheques, recording cash 
and receiving or disbursing? 

2. Are the bank accounts reconciled at regular intervals? 
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3. Is Bank reconciliation statement drawn by a person independent of cash receipt and 
disbursement function? 

4. Does the reconciler compare each item in the deposit and withdrawal columns of the bank 
statement with amount deposited or withdrawn as shown by the cash records both as regards 
date and amount? 

5. Is there a periodic follow-up of old: 

(i) outstanding deposits? 

(ii) outstanding payments? 

(iii) outstanding stop-payment advices? 

6. Are the items under reconciliation reviewed by a responsible official promptly or upon completion? 

7. Are confirmations of balances obtained periodically in respect of all bank balances and compared 
with the bank statements? 

8. Is there a periodic review of balances held as security, for letters of Credit, Guarantees, etc., to 
ensure the need for their continuance? 

9. Are Fixed Deposit Receipts held in safe custody? 

10. Is there a register of Fixed Deposits showing maturity dates, rates of interest and dates for 
payment of interest? 

11. Is there a follow-up system to ensure that interest on Fixed Deposits is received on due dates? 

12. Is a Certificate obtained from the bank for Deposit Receipts lodged as security? 
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